Basic Setup Help



  • Hello all,

    I did not know where to post this so I figured general might cover it.

    I have PFSense running as our district firewall and we can pass traffic and browse the web etc. The problem that seems to not go away is the servers we have on the inside that need to be accessible on the outside.

    I have NAT's that I had to turn off because they did not allow the internal servers to browser the web.

    I have Rule's that don't seem to do anything to help either. I had to create a rule for the LAN so we could get our email but it is a basic rule in itself.

    I guess I am wondering if there is a step by step basic, such as 1. Do this…2. Now this...

    PFSense is a great firewall and I want to get it working the best we can.

    I am more confused by some of the post's. I will say I am not an idiot, but I have been working on this for about 4 months and cannot get it to connect from the outside in to our SIS system and some of our other servers.

    School is starting up soon and I need to have the SIS system accessible from the outside for registration.

    I have read alot about PFSense and really think it is the best out there for what it can do. The only thing that is haunting me is all the posts and reviews I have read that say it is very hard to setup and people had given up on it. Even the school district in the next county over the network admin worked on it and even paid for support and still could not get it to work correctly. However in his defence I know he likes to tweak things beyond or to the edge of what they can do so take that with a grain of salt.

    I guess I am asking since I am able to pass traffic out and such through our content filter and all, what is it I need to pass traffic to the inside from specific IP's on the outside.

    Again say a step by step procedure. Our SIS is Powerschool, so if anyone has that and knows what needs to be done please give me a clue. I sometimes think I am over thinking the firewall and putting to much in and then again I think I have not put enough into it.

    So say I was starting from scratch and I can pass traffic from the inside and now need my servers to be able to receive certain traffic from the outside (Some have IP's assigned to them, yes a NAT for that specific server). So our external IP of 96.5.. to our internal 172.16.100.175 https and http. And other ports and again step by step, first get a Virtual IP THEN add a NAT THEN add a rule something along those lines. Like I said I have alot and may be over working the problem, then again maybe not enough.

    Am I making any sense or should I just lay my head on the chopping block for the Admin's to have a field day?

    Anyway I thank anyone who can help me on this. I have been beating my head on this so long I think I even dream about how to fix it sometimes...

    Thanks again to all who reply...



  • Firewall - NAT - Port Forward

    Add a rule for each server that you need to get to from the outside.  Here is an example of a port forward for a web server:

    Interface: WAN
    Protocol: TCP
    Source: Any
    Source port range: Any
    Destination: Single host or alias
      Address: public (WAN) IP address of your server (eg a.b.c.d)
    Destination port range: From HTTP To HTTP
    Redirect target IP: private (LAN) IP address of your server ( eg e.f.g.h)
    Redirect target port: HTTP

    Save and done.

    This rule says that, if someone from any IP address/any port hits your WAN asking to talk on port 80 to the public server at IP address a.b.c.d, then redirect that traffic to the internal server at e.f.g.h port 80.

    If you have a bunch of public IP addresses to use, you can plugin them in via Firewall - Virtual IPs.  Create aliases for your internal servers via Firewall - Aliases
    for ease of management and rule creation.



  • OK I will give it a go. I thank you for the straight forward info. I think reading too many posts and watching all these video's out there can be confusing to someone just starting out with PFSense. I will keep you posted on how it goes.

    Again thanks for the info and I will be back…



  • OK I put that in and did not get anything.

    Should I clear everything out and start from scratch? Is it possible that something other than what I have done could be stopping it from working?

    Should I have a Port forward, by going to Firewall –> NAT and do this under port forward as well as go to Firewall --> Rules and have a rule in here for the Wan, Lan or both?

    I have not only Port Forwards, but also Rules for my Lan and Wan.

    Also should I delete the 1:1 NAT's I have since when enabled they stop the servers from seeing the outside?

    Thanks for you help in this matter...


  • Netgate Administrator

    If you (and others) have been trying this for 4 months you probably have a whole load of config changes that could potentially be very unhelpful. I would recommend starting from a clean install.  This shouldn't be hard to get working unless powerschool has some very unusual requirements.

    Please give us a basic network diagram.
    Describe what you are trying to achieve with ports, IPs, etc.
    When you are testing things please describe how you are testing and what the actual result was including any errors etc. 'It didn't work' is generally not helpful.  ;)

    Steve



  • Well we have a range of IP's coming in from our Provider.

    They give us a Public IP Allocation, then a usable range, and then the default gateway.

    As these come in we have tried to keep all internet traffic going out on the first usable (according to them) IP ending in 162.

    We had a Light speed Firewall/Filter in place and since they no longer have a firewall (for the last few years that is) and they have moved to a rocket appliance, we have been using that.

    As for the NAT's we have coming in there are external IP's we had NAT's to internal IP's for our Powerschool Server on port 8080 and 443. Then for some of our other servers we gave them a IP with specific ports they asked for opened.

    One of them lets say is our library program. It is supposed to be listening on the external ip of 96...170 and should be attached to the internal IP of 172.16.100.128.

    I do not know how to do this without exposing our network to the outside. I have already started getting hits on the outside like someone is scanning the server.

    Yeah I will admit there is probably some harmful entries that could be harming our connections out and or in.

    Let me try this….

    Internally we have 5 servers that are mapped to the outside through IP's from our provider and ports that are requested open for each IP.

    Right now none of them are working, thankfully due to the high rate of hits I am getting on the firewall logs.

    Some of the ports being used for say our library program are 210, 80, and 443. This is coming from the address translation of our old Lightspeed firewall we still have running but only the management NIC is hooked up.

    Basically I want to block all coming in except what needs to come in to our network for these servers and ertain services supplied to us from our provider (Distance Learning, etc..). Since they are not getting any outside access currently that means the  firewall is doing what it needs to correct? Just all internal traffic going out is working.

    Does this help in what I am trying to achieve?

    Just a note, I have noticed on the PFSense Dashboard that under Version it is unable to check for updates, however I can see and download packages.

    Again I probably have a fubar'd config somewhat with all the tinkering. This server is in line and I do not want to loose what I have working so far (meaning everyone able to cruise the web, get email and the web content filter working).

    I will do what I can to clean it up. Is there something in the config's that I really don't need right off the top that you can think of that would hinder any performance of PFSense?

    So under firewall I have Aliases --> One for my range from our provider, one for IMAP, One for the lan card 172.0.0.0/8 and one I put in there for powerschool https.  Nothing under ports or URL's.

    Under NAT--> Port Forward I have gone through and setup the address's just as was stated they should be in the reply sent by KOM.

    Under 1:1 I have the external IP's and the Internal IP with the interface as WAN and the destination IP as nothing. If I enable these I cannot browse with the systems that have browsing capabilities unless I dissable them just as they are now.

    For Outbound Manual NAT rule generation is checked and the Interface is WAN source is 172.0.0.0/8 Source port and Destination are () Destination port for some are 500 NAT address is Wan Address NAT port is () Static port some say yes other say no. And then a description for each mapping.

    NPt has nothing

    Under Firewall --> Rules I have my entries for the WAN. My Powerschool shows like this

    ID= Blank :  Proto=IPv4 TCP : Source=* : Port=* : Destination =WAN address : Port 443 (HTTPS) : Gateway=*: Queue=None

    Should the Gateway be set to the gateway?

    Under LAN it reads:

    ID=Nothing : Proto=IPv4 TCP/UDP : Source=* : Port=* : Destination=* : Gateway=* : Queue=none

    This is the line once I put it in we were then able to browse from the inside out onto the web and get email, etc....

    I have other entries in here and under port I have specified 53, 80 21, 25,110,143,3389 each in their own rows but the rest of the row reads as above.

    Virtual IP's is still kinda foggy

    I have a virtual IP address of the IP for our outside with a mask of 29 Interface WAN and type IF Alias.

    Well I hope this helps, or My Coffee kicked in along with my ADHD all at the same time and makes no sense unless in a caffeine induced state as I am in right now.

    I will try to provide what ever is needed without giving away all our secrets :o) Please bare with me in figuring this out...thanks again...


  • Netgate Administrator

    Hmm, some screenshots might help here.
    I'm going to have to re-read that to get it straight but one thing jumps out immediately.

    @IdahoTech:

    Under Firewall –> Rules I have my entries for the WAN. My Powerschool shows like this

    ID= Blank :  Proto=IPv4 TCP : Source=* : Port=* : Destination =WAN address : Port 443 (HTTPS) : Gateway=*: Queue=None

    So you are using your main IP, the pfSense WAN address, as the external address of powerschool?
    This firewall rule is wrong. By the time incoming packets reach the WAN side firewall they will already have gone through the port-forwarder so their destination will now be the internal address of the powerschool server. The rule you have shown above would normally be automatically generated by the port-forward setup unless you uncheck the 'linked firewall rule' box. Is this using a 1:1 instead?

    Try changing the destination address of that rule.

    I would try to avoid using 1:1 NAT rules unless you need to have every port forwarded. Or at least make sure you've restricted the ports allows in firewall rules.

    Steve



  • Well I will have to start from scratch. I will try to get some screen shots and post them to the forum here under this post.

    Unfortunately we were being attacked >:( yesterday and could barely function as a school district. We had to put our old firewall back up and run it.

    It was so bad after about 3 minutes of a reboot the internet and email would be spotty at best.

    I may start from scratch with it and build it from there. Any thoughts you could give on what I have given to you so far?

    I really do want to use this firewall, but if we cannot get it straightened out I do not want to purchase a firewall but will have no choice.

    I will let you know once I get it up and running again.

    Thanks for the info so far and when rebuilding it I will use what you guys have posted so far.

    Jim



  • OK as I rebuild the firewall one question me and my colleges argue over is a management card.

    I believe that there should be the WAN and the LAN but also a MGMT so as not to interfere with workings of the firewall. Can I use one of the OPT devices for this.

    I believe by having the management be through our LAN connection as well it may have caused issues with passing traffic.


  • Netgate Administrator

    You can use any interface you like as admin access. If you think that the http/s webgui is interfering with your port forward it shouldn't. The webgui listens on all interfaces so changinb which one you use shouldn't make any difference. Are you seeing the pfSense wegui when you try to access your port forward? You can change the port the webgui uses. Did you try the change I suggested above?

    Steve