Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up New Firewall

    Scheduled Pinned Locked Moved Firewalling
    11 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      IdahoTech
      last edited by

      Hello Everyone,

      I am setting up a new firewall for our school. We are currently on Lightspeeds TTC last version of their firewall and I am trying to make sure I get all the ports and IP's that need to be nat'd as well as all the rules setup for traffic to move.

      There is one thing I am wondering about. In our TTC configuration we have a range that shows twice once like the following

      And at the top of the list it is as follows:

      Name      Internal Type      Internal Addressing          External Type      External Addressing

      SD60        Network          172.16.0.0 255.255.0.0            Network      96.5..  255.255.255.255

      and another that looks like this:

      General      Network        172.16.0.0  255.255.0.0            Host            96.5..    No Subnet

      Are these set to allow traffic to our internal network for general web traffic? Anyone ever do a switch over from TTC V8 from Lightspeed to PFSense?

      I would love to get this up and going. I hope the information above does not get scrambled up. I think that is what those are for, but not sure and want to be able to put it in and not worry as to why no one is getting no where….

      Any thoughts or suggestions would be great. Hoping the book comes out soon as to help in the setup as well.

      Thanks

      IdahoTech

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        These look like NAT entries and not necessarily firewall rules. IT looks more list 1:1 NAT or manual outbound rules than anything.
        PErhaps these are in sections that you have not posted here.

        1 Reply Last reply Reply Quote 0
        • I
          IdahoTech
          last edited by

          OK I will have to check those out and compare them to what I have in the firewall already.

          Also where our range is all coming in on one wire from our provider it goes from 62 to 90 as the last number in the IP range. The 62 is our Web, Email (once I get that setup back in Novell) https, etc and then all the other IP's from 63 to 90 how would those be entered into the system? Would those be NAT, Virtual IP, or or under rules. Sorry for being such a noob, but going from a premade firewall to a handmade firewall.

          Thanks

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            They would be Virtual IPs first, then NAT, and finally rules.
            Basically you have to setup the IP on the NIC to accept traffic from a switch.
            Then, you have to tell the kernel where you want to send that data, cause you cannot route directly, you must setup a NAT for it.
            This could be 1:1 NAT (one IP to one host) or port forward.
            If you use port forward, rules will automatically created to pass traffic.
            If you use 1:1 NAT then you have to setup FW rules yourself.
            You might do well to get the book. It covers the basics well.

            1 Reply Last reply Reply Quote 0
            • I
              IdahoTech
              last edited by

              Thanks for the info. Where do I get the book?? Is it the new book that is coming out? or the older book. I heard with PFSense 2.1 the older book is not as clear on a lot of things in the newer PFsense.

              Thanks for the info makes more sense now. Haven't had my coffee yet, but it makes sense, I think I will let you know after a cup of coffee and something to eat.  :)

              The order of setting them up helps me out a lot. So Virtual IP's get put in. Then the NAT then the rules.

              We have other servers sitting on the inside of our network that need the 1 to 1 to make it look like they are on the outside because of SSL setup on them.

              1 Reply Last reply Reply Quote 0
              • P
                phil.davis
                last edited by

                Where do I get the book?? Is it the new book that is coming out?

                The $99 pfSense Gold subscription includes the book in soft-copy and other benefits mentioned here: https://blog.pfsense.org/?p=718
                For a small install that does not need full paid support, it is a good way to get extra know-how and support the project.

                As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                1 Reply Last reply Reply Quote 0
                • I
                  IdahoTech
                  last edited by

                  Well I will take a look. I kinda got myself into this and should not expect the school to pay for me to have this. This could be my way of keeping myself useful.

                  Anyway, I will look and thanks for the info. Sounds like a good plan. I am setting up the firewall now. I have the virtual IP's in and now I am doing the port forwards and yes I did get the 1:1 for the firewall as well, almost forgot to mention that.

                  In the port forwards there is ports 80 and 443. For each server do I need to put a separate port forward for their web address and secure (HTTPS) address? Or does leaving the general two there with the NAT IP as LAN cover that and only setup the ports for other non standard ports that are not normally used that our vendors seem to need open.

                  I hope that makes sense :o…. any way any thoughts?

                  1 Reply Last reply Reply Quote 0
                  • I
                    IdahoTech
                    last edited by

                    Is it better to put the port forward for 80 and 443 per server or just use the basic that is there and have the NAT IP be the LAN?

                    1 Reply Last reply Reply Quote 0
                    • P
                      podilarius
                      last edited by

                      You would need to put in a port forward rule for each server for port 80 and 443.

                      1 Reply Last reply Reply Quote 0
                      • I
                        IdahoTech
                        last edited by

                        OK good to know. That could of caused some issues then leaving it the way it was. So for each outward facing server then I will have to setup a 80 and 443 for each one. Well gonna get to it then….hopefully I remember all of them. ;D

                        1 Reply Last reply Reply Quote 0
                        • I
                          IdahoTech
                          last edited by

                          Ok so now comes the really dumb question of the week  ::)

                          When my users are browsing the web for HTTP and HTTPS those port forwards that I listed above are for our servers but for basic browsing from inside to outside where would that go???

                          Again, coffee is not totally working this morning. We have been looking at other firewalls in case I cannot get this one up and going. I want to since it was my idea and would love for it to work. Again I am sorry for the basics of my question, but I learn better asking a few dumb ones as well. I always said ' There are no dumb questions, just dumb mistakes'….

                          Thanks for the help so far on this....

                          I am working on this sporadically since I have to do other things here like Help desk, server maint. etc. so I work on this when I can and when school ends I will have more time and can focus more on it....

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.