PFSense & DMZ

hyperdallas

Hi PFSense'ers!
I am new to PFSense and was looking for some assistance in setting up the DMZ part, so my email and VPN services can be seen from the internet.

My ISP provisions me with one IP, and my network/pfsense setup is like below:

IMG Removed

My firewall rules for each zone are as follows:

WAN
IMG Removed

LAN
IMG Removed

DMZ
IMG Removed

WL
IMG Removed

Any assistance on getting this going would be great!!  Thanks!

Derelict

Why a /8 on W/L?  I'd use something random like 172.29.240.0/24
Why a /16 on DMZ?  I'd use something random like 172.29.241.0/24
Why a /32 on LAN?  That's a nonsensical netmask.  Something like 172.29.242.0/24 ?

Note that you can then refer to the entire site using 172.29.240.0/22

Your rules look like a reasonable place to start.  Also block access to This Firewall on your restricted networks.

Add some port forwards to Email and VPN and probably set a gateway to your VPN server and a static route to your tunnel and client IP addresses.

hyperdallas

Why a /8 on W/L?  I'd use something random like 172.29.240.0/24
Why a /16 on DMZ?  I'd use something random like 172.29.241.0/24
Why a /32 on LAN?  That's a nonsensical netmask.  Something like 172.29.242.0/24 ?

I wanted the WLAN, DMZ and LAN to have separate networks so I could identify the traffic easier. The WL has a /24, the DMZ has a /24 and the LAN has a /24.

block access to This Firewall on your restricted networks.

Thanks, that's been done.

Add some port forwards to Email and VPN

thanks, done.

set a gateway to your VPN server and a static route to your tunnel and client IP addresses.

How?

doktornotor

@hyperdallas:

Why a /8 on W/L?  I'd use something random like 172.29.240.0/24
Why a /16 on DMZ?  I'd use something random like 172.29.241.0/24
Why a /32 on LAN?  That's a nonsensical netmask.  Something like 172.29.242.0/24 ?

I wanted the WLAN, DMZ and LAN to have separate networks so I could identify the traffic easier. The WL has a /24, the DMZ has a /16 and the LAN has a /24.

Uuuuuuuuuh… Networking 101 desperately needed?!  :o

hyperdallas

Uuuuuuuuuh… Networking 101 desperately needed?!  :o

Thanks for the help!  The original diagram I screwed up with typos…  'twas late!

Derelict

On pfSense in System > Routing > Gateways Tab you create a gateway, give it a name (VPN_SERVER) and the IP address 172.16.0.8.  Then on the Routes tab you create routes for all the networks pfSense doesn't know about (tunnel networks, Client networks, remote networks) with that gateway set.

Why a /16 on DMZ?  You going to have more than 252 IP addresses on it?

The bigger (and more common) your private subnets the more likely you will have collisions when you try to VPN.

Your LAN is 192.168.1.0/24.  You're at a coffee shop trying to VPN in.  Their LAN is also 192.168.1.0/24. Your network is now broken through nobody's fault but your own.

hyperdallas

@Derelict:

On pfSense in System > Routing > Gateways Tab you create a gateway, give it a name (VPN_SERVER) and the IP address 172.16.0.8.  Then on the Routes tab you create routes for all the networks pfSense doesn't know about (tunnel networks, Client networks, remote networks) with that gateway set.

Cheers buddy, I'll give that a shot.

@Derelict:

The bigger (and more common) your private subnets the more likely you will have collisions when you try to VPN. Your LAN is 192.168.1.0/24.  You're at a coffee shop trying to VPN in.  Their LAN is also 192.168.1.0/24. Your network is now broken through nobody's fault but your own.

Good point…  But I will never VPN in from a network using the same private subnets.. My phone carrier uses a different range as does my work, as does my wifes work, which are the majority of where I would need to access it and is subsequentally why I chose to use the private ranges I did. Yes, its is a valid point, i accept that and can see the difficulty if it happened. cheers

Derelict

Oh well.  I tried.

hyperdallas

@Derelict:

Oh well.  I tried.

And I appreciate you doing so… Genuine advice vs asshattery is hard to find nowerdays!

KOM

Sometimes the real trick is getting people to take the good advice you are giving them.

johnpoz

Derelict where are you seeing these /8 /16 and /32 masks.  I don't see that anywhere in the OP pics or comments?

What jumped out at me was his deny rules on WL saying can not go to dmz and lan but source is WAN net?

And not actually seeing the icon for the rule just his comments so who knows if they are allow or block or reject.  And those rules are all pointless putting a source of wan net on the WL interface.

Derelict

@johnpoz:

Derelict where are you seeing these /8 /16 and /32 masks.  I don't see that anywhere in the OP pics or comments?

What jumped out at me was his deny rules on WL saying can not go to dmz and lan but source is WAN net?

And not actually seeing the icon for the rule just his comments so who knows if they are allow or block or reject.  And those rules are all pointless putting a source of wan net on the WL interface.

It was in the original image which has now been updated.  I'm sure there are plenty of things to change.  I deal with these starting at the bottom.  Until people understand this https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting it's all pretty pointless.

hyperdallas

@johnpoz:

Derelict where are you seeing these /8 /16 and /32 masks.  I don't see that anywhere in the OP pics or comments?

I updated them when I realized I made the typo.

@johnpoz:

What jumped out at me was his deny rules on WL saying can not go to dmz and lan but source is WAN net?

Yep I saw that too and fixed that myself. facepalm

@johnpoz:

And not actually seeing the icon for the rule just his comments so who knows if they are allow or block or reject.  And those rules are all pointless putting a source of wan net on the WL interface.

Agreed..

but in the end its working how i need it, so all is well in the world!