Inherited Network Madness
-
Hi everyone - first time poster. I've just inherited the administration of a crazy patched together network, running some pretty legacy components in an unnecessarily complex configuration. Things aren't working right, and the configuration could be fixed but it begs for an update.
I've pitched the owner on simplification with a pf sense box. He's intrigued, but reluctant to take a step into the world of open source. Budget is minimal (*see: basically zero). Let me explain the layout and my logic, and hopefully you guys will be able to make sense of it.
Right now, the system looks like this. Please don't ask why, I know it's crazy, it's not my fault.
<dsl modem="" -="" static="" ip="">–----<netgear fvs124g="" firewall="">-----<d-link dfl-200="">-----<ms 2004="" isa="">----- <lan, netgear="" switch="">The Netgear FVS is no longer necessary, it was a holdover from when the business had 2 DSL lines that they load balanced. It's a single line now.
The D-Link (which is where the network traffic seems to be getting garbled, looking at Wireshark) is no longer necessary, as it was purchased for DMZ functionality, a long abandoned attempt at hosting their own website. GoDaddy does it just fine these days.
ISA is from 2004. Enough said.
The Domain Controller and AD services etc are all hosted on other virtual machines, so wiping out the ISA box isn't much of an issue. My idea is to repurpose an old machine as a dedicated pfsense box, throw 2 NICs in it, give it the same IP address and policy rules as the ISA, and take everything else out of the loop.
<dsl>-----<pf sense="" box="">---- <lan>They host their own Exchange Server with OWA, a VPN is a possibility in the future, and the boss would like to hold on to his RDP functionality via a dyndns route.
Needless to say, any time work like port forwarding etc needs to be done, it has to be done in three places. And I'm not even sure what I've inherited was done correctly in the first place. "It used to work" according to the boss, but now the network exhibits strange inconsistent behavior.
Am I on the right track? Can someone give me a sense of direction? Feel free to tell me that I'm completely wrong.
I'm new to pf but I have a decent amount of Linux and networking experience.
Thanks in advance.</lan></pf></dsl></lan,></ms></d-link></netgear></dsl>
-
Needless to say, any time work like port forwarding etc needs to be done, it has to be done in three places.
In the old situation, I assume?
I have what you have, only a switch inbetween:
dumb modems (VDSL, Cable) -> pfSense WAN, WAN2 nics -> pfSense LAN nic -> Switches -> LAN, VLAN.
This simply works out of the box (provided solid hardware, especially the NIC (Intel = preferred)), and typically takes you 15-30 minutes to install and setup.
-
I think pfsense would do that easily (provided good enough hardware)
-
Triple nat? Oh dear, I'd buy you a beer if I could.
Yes, tear everything out, and replace it w/ a pfSense.
Make sure you document everything and fully understand all the firewall rules, port forwards etc.
I'd like to say that although convenient, exposing 3389 to the world although convenient is not considered best practice. Try to push for a VPN tech (OpenVPN or L2TP, NOT PPTP!) which will put them on the internal network, they can then RDP into their machines.
For an added layer of security, check out DuoSec as well for people RDP'ing into machines on your network. It's 2factor auth that's free for up to 10 users (basically it sends push notifications to your smartphone which you then approve/deny so even if the password is compromised it offers some additional security). With a bit of work DuoSec can be adapted for people dialling in via VPN as well – so when they hit 'connect', a SMS/Push Notification is sent to their device which must be approved before connection.