Setting up New Firewall



  • Hello Everyone,

    I am setting up a new firewall for our school. We are currently on Lightspeeds TTC last version of their firewall and I am trying to make sure I get all the ports and IP's that need to be nat'd as well as all the rules setup for traffic to move.

    There is one thing I am wondering about. In our TTC configuration we have a range that shows twice once like the following

    And at the top of the list it is as follows:

    Name      Internal Type      Internal Addressing          External Type      External Addressing

    SD60        Network          172.16.0.0 255.255.0.0            Network      96.5..  255.255.255.255

    and another that looks like this:

    General      Network        172.16.0.0  255.255.0.0            Host            96.5..    No Subnet

    Are these set to allow traffic to our internal network for general web traffic? Anyone ever do a switch over from TTC V8 from Lightspeed to PFSense?

    I would love to get this up and going. I hope the information above does not get scrambled up. I think that is what those are for, but not sure and want to be able to put it in and not worry as to why no one is getting no where….

    Any thoughts or suggestions would be great. Hoping the book comes out soon as to help in the setup as well.

    Thanks

    IdahoTech



  • These look like NAT entries and not necessarily firewall rules. IT looks more list 1:1 NAT or manual outbound rules than anything.
    PErhaps these are in sections that you have not posted here.



  • OK I will have to check those out and compare them to what I have in the firewall already.

    Also where our range is all coming in on one wire from our provider it goes from 62 to 90 as the last number in the IP range. The 62 is our Web, Email (once I get that setup back in Novell) https, etc and then all the other IP's from 63 to 90 how would those be entered into the system? Would those be NAT, Virtual IP, or or under rules. Sorry for being such a noob, but going from a premade firewall to a handmade firewall.

    Thanks



  • They would be Virtual IPs first, then NAT, and finally rules.
    Basically you have to setup the IP on the NIC to accept traffic from a switch.
    Then, you have to tell the kernel where you want to send that data, cause you cannot route directly, you must setup a NAT for it.
    This could be 1:1 NAT (one IP to one host) or port forward.
    If you use port forward, rules will automatically created to pass traffic.
    If you use 1:1 NAT then you have to setup FW rules yourself.
    You might do well to get the book. It covers the basics well.



  • Thanks for the info. Where do I get the book?? Is it the new book that is coming out? or the older book. I heard with PFSense 2.1 the older book is not as clear on a lot of things in the newer PFsense.

    Thanks for the info makes more sense now. Haven't had my coffee yet, but it makes sense, I think I will let you know after a cup of coffee and something to eat.  :)

    The order of setting them up helps me out a lot. So Virtual IP's get put in. Then the NAT then the rules.

    We have other servers sitting on the inside of our network that need the 1 to 1 to make it look like they are on the outside because of SSL setup on them.



  • Where do I get the book?? Is it the new book that is coming out?

    The $99 pfSense Gold subscription includes the book in soft-copy and other benefits mentioned here: https://blog.pfsense.org/?p=718
    For a small install that does not need full paid support, it is a good way to get extra know-how and support the project.



  • Well I will take a look. I kinda got myself into this and should not expect the school to pay for me to have this. This could be my way of keeping myself useful.

    Anyway, I will look and thanks for the info. Sounds like a good plan. I am setting up the firewall now. I have the virtual IP's in and now I am doing the port forwards and yes I did get the 1:1 for the firewall as well, almost forgot to mention that.

    In the port forwards there is ports 80 and 443. For each server do I need to put a separate port forward for their web address and secure (HTTPS) address? Or does leaving the general two there with the NAT IP as LAN cover that and only setup the ports for other non standard ports that are not normally used that our vendors seem to need open.

    I hope that makes sense :o…. any way any thoughts?



  • Is it better to put the port forward for 80 and 443 per server or just use the basic that is there and have the NAT IP be the LAN?



  • You would need to put in a port forward rule for each server for port 80 and 443.



  • OK good to know. That could of caused some issues then leaving it the way it was. So for each outward facing server then I will have to setup a 80 and 443 for each one. Well gonna get to it then….hopefully I remember all of them. ;D



  • Ok so now comes the really dumb question of the week  ::)

    When my users are browsing the web for HTTP and HTTPS those port forwards that I listed above are for our servers but for basic browsing from inside to outside where would that go???

    Again, coffee is not totally working this morning. We have been looking at other firewalls in case I cannot get this one up and going. I want to since it was my idea and would love for it to work. Again I am sorry for the basics of my question, but I learn better asking a few dumb ones as well. I always said ' There are no dumb questions, just dumb mistakes'….

    Thanks for the help so far on this....

    I am working on this sporadically since I have to do other things here like Help desk, server maint. etc. so I work on this when I can and when school ends I will have more time and can focus more on it....