Advanced Firewall Setup Assistance



  • I have gone through just about every forum post and how-to I can find and have been unable to get this pfSense 2.1.3 box configured. Maybe it can't be done? Maybe I am missing a simple step. Any assistance would be appreciated.

    SETUP/LAYOUT

    • We have a /29 (IP1) and a /27 (IP2) from our DC provider and the /27 is routed through the /29
    • Thus far we have used Virtual IPs and 1:1 NAT to get the servers online without issue
    • The pfSense WAN uses the /29 as its network information
    • All our servers are located in a variety of VLANs and are NAT'd to to the /27 addresses
    • The servers are on a Citrix Xenserver and we have enabled Promiscuous Mode

    REQUIREMENT

    • We need to install a cPanel server and therefore need a publicly routed server (no NAT)
    • We will also have a number of additional public IPs added to this cPanel server

    WHAT WE HAVE DONE (THAT HASN'T WORKED)

    • I have bridged a "PUBLIC" interface to the "WAN" interface and assigned the cPanel an address on the /27.
    • Played around with making the BRIDGE and PUBLIC interfaces being set to "NONE" and also assigning IP addresses (both in the /27 and /29)

    ONE THING THAT DID WORK

    • On the bridged network I gave the cPanel an address on the /29 network and it worked. However we only have one free IP on this subnet so we can't use it permanently - however it proved that at least the servers, switches, etc are all communicating properly.

    WHAT WE NEED HELP WITH

    • Figuring out the right configuration to have a cPanel with /27 IP addresses publicly routed through the pfSense which has a /29 address.


  • @wikidd:

    I have gone through just about every forum post and how-to I can find and have been unable to get this pfSense 2.1.3 box configured. Maybe it can't be done? Maybe I am missing a simple step. Any assistance would be appreciated.

    SETUP/LAYOUT

    • We have a /29 (IP1) and a /27 (IP2) from our DC provider and the /27 is routed through the /29
    • Thus far we have used Virtual IPs and 1:1 NAT to get the servers online without issue
    • The pfSense WAN uses the /29 as its network information
    • All our servers are located in a variety of VLANs and are NAT'd to to the /27 addresses
    • The servers are on a Citrix Xenserver and we have enabled Promiscuous Mode

    REQUIREMENT

    • We need to install a cPanel server and therefore need a publicly routed server (no NAT)
    • We will also have a number of additional public IPs added to this cPanel server

    WHAT WE HAVE DONE (THAT HASN'T WORKED)

    • I have bridged a "PUBLIC" interface to the "WAN" interface and assigned the cPanel an address on the /27.
    • Played around with making the BRIDGE and PUBLIC interfaces being set to "NONE" and also assigning IP addresses (both in the /27 and /29)

    ONE THING THAT DID WORK

    • On the bridged network I gave the cPanel an address on the /29 network and it worked. However we only have one free IP on this subnet so we can't use it permanently - however it proved that at least the servers, switches, etc are all communicating properly.

    WHAT WE NEED HELP WITH

    • Figuring out the right configuration to have a cPanel with /27 IP addresses publicly routed through the pfSense which has a /29 address.

    I'm guessing this is something about tunneling that one subnet through the pfsense box. When you say routed do you mean that you basically want the firewall out of the picture so that your line doesn't get touched but instead it just travels through? Well I'm not an expert on this but perhaps I can still help until someone else steps in.

    Right now I am thinking of the stunnel package.

    https://doc.pfsense.org/index.php/Stunnel_package

    There is also the zebedee package which in the description it says:

    Zebedee is a simple program to establish an encrypted, compressed "tunnel" for TCP/IP or UDP data transfer between two systems.
    This allows traffic such as telnet, ftp and X to be protected from snooping as well as potentially gaining performance over low-bandwidth networks from compression.

    Still looking. Can't find an answer unless I keep trying:)

    Another interesting thing I found is this which I will copy and paste and it can be found on advanced firewall rules.

    Static route filtering Bypass firewall rules for traffic on the same interface
    This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.

    not giving up but I do need a break.



  • @Cmellons:

    I'm guessing this is something about tunneling that one subnet through the pfsense box. When you say routed do you mean that you basically want the firewall out of the picture so that your line doesn't get touched but instead it just travels through? Well I'm not an expert on this but perhaps I can still help until someone else steps in.

    Right now I am thinking of the stunnel package.

    https://doc.pfsense.org/index.php/Stunnel_package

    There is also the zebedee package which in the description it says:

    Zebedee is a simple program to establish an encrypted, compressed "tunnel" for TCP/IP or UDP data transfer between two systems.
    This allows traffic such as telnet, ftp and X to be protected from snooping as well as potentially gaining performance over low-bandwidth networks from compression.

    Still looking. Can't find an answer unless I keep trying:)

    Another interesting thing I found is this which I will copy and paste and it can be found on advanced firewall rules.

    Static route filtering Bypass firewall rules for traffic on the same interface
    This option only applies if you have defined one or more static routes. If it is enabled, traffic that enters and leaves through the same interface will not be checked by the firewall. This may be desirable in some situations where multiple subnets are connected to the same interface.

    not giving up but I do need a break.

    @Cmellons: Are you sure you are on the right thread?

    @wikidd: You bridged the interface so it doesn't know how to get to those addresses. You are essentially passing the /29 through, that's why it worked.
    If you want a /27 to be available to a single server, then you need to set up an interface with an IP inside that /27 on pfsense (or a private IP, get's a bit more complex but doable) and assign another address inside the /27 to the server. The server's default gateway should be the pfsense's-interface's-IP-that's-connected-to-the-server IP.

    See this explanation: a host want's to connect to an address on the /27. It first asks who can get it there. The DC's router answers that it doesn't know, but an address inside the /29 does. The host proceeds to ask the /29 how to get to the /27. This is where you broke the setup with the bridge. Since the bridge essentially passes through traffic, the request went straight in one interface and straight out the other way. That's why an address on /29 worked. If you assigned an address in the /27 to the server at this point, it would still not work since the routes for that net are not correct (neither incoming nor outgoing). You need to explicitly tell the /29 that the /27 can be found on interface X (assigning an IP inside the /27 on another interface does exactly that) and let pfsense handle the routing (by allowing stuff to/from the /27). That host that was asking for a /27 address now knows that the DC's router can't get it there, so it has to ask the /29, which in turn will ask the /27 gateway (do packet captures, you'll actually see the hosts asking "who has X tell Y" :p, funny stuff) if the requested IP is online. Cycle is complete, you have set up the system as you want, cpanel works, you get payed. Simple isn't it?  :D