Such a noob on the firewall>>>



  • Every time I go and change something on pfSense, it takes a long time to figure it out.  Case in point, took me hours to get another interface to see the internet, basically duplicating the default LAN interface on a second port. 
    Typical single WAN setup, two subnets; x.x.1.0 and x.x.2.0  The equipment I have is a Watchguard XTM515 box running 2.2.2, a QNAP NAS, and a Powerconnect 2824 switch on each subnet.   
    Here is what I would like to do:
    -Any traffic on the x.x.1.0 interface CANNOT access anything (inbound or outbound) on the x.x.2.0 interface, or any other for that matter, EXCEPT for one NAS device, which lies on the x.x.1.0 segment, and must be seen by any system.  The NAS device can have all ports open though.
    -Any traffic on other internal interfaces MUST access the x.x.1.0 interface freely, inbound and outbound, without complaint.
    -The other port on the NAS is intended to directly face the Internet.  It has an internal web server for any needs as well as its own, HOWEVER, it needs to be able to access in some fashion the x.x.2.0 network.  The specific fashion is to possibly point a link at the RDP web page you can set up in Windows, to bring up RDP sessions through the web page.
    -VPN access through a machine on the x.x.2.0 network.  Basically punch through pfSense, and land at the separate VPN server.
    If anyone can educate me, please do so!  A lot of this stuff is greek to me, even though I've been going to school for it, so I'm trying to solidify my education of basic networking and firewall concepts.  Please hold the flames to a minimum.  I realize this has been asked on the forum in some form or another, but there lies the problem.  It seems to never be exactly my issue, and that's where I trip at.
    Thank you for your help, let me know if you need more info…
    Jason


  • Rebel Alliance Global Moderator

    "Any traffic on the x.x.1.0 interface CANNOT access anything (inbound or outbound) on the x.x.2.0 interface"

    Here is where I think your having a concept issue.. You look at the interfaces as INBOUND.. traffic leaving that network and going somewhere through pfsense..  Evaluate the rules top down as that traffic enters that interface, first rule to fire wins.  Gets to the end then its denied.

    If you don't want anything on lan to go to opt1 network, then just put a block before the allow on lan to block access to whatever your opt1 network is.

    if you don't want opt1 going to lan then do the same thing.  If you want want to allow specific exceptions then put them above the block.

    "Basically punch through pfSense, and land at the separate VPN server."

    For what freaking reason - pfsense should be your vpn server.  Vpn server is much easier to manage and use when its on the edge than inside your network..



  • The reason why I'm using something other than pfSense as the VPN provider is because it didn't work for me last time.  I was forced to open up the firewalls on my computer as well as pfSense and use PPTP just to get it to work.  IPSEC and any other secure reason got thrown out the window.  I'm operating on the assumption that since I use a Wintel machine to access a Linux VPN, there must be a confusion happening there.  I'm sure it's worked for other people, just not me.  If anyone is willing to step me through using pfSense as the VPN, go ahead.  OpenVPN did not work for me either.  I have changed settings on my handle to notify me of replies now, so I will reply a lot more quickly now.  Thanks!
    Jason


  • Rebel Alliance Global Moderator

    openvpn is no brainer to setup, just run through the wizard.  iF it takes  you more than 1 minute your doing something wrong.

    As to windows clients connecting to linux vpn server, nonissue…

    I would suggest you try openvpn, and then if issues troubleshoot them..  Common issues are not using the wizard and then using the wrong type of cert.  Not running client on windows as admin. Ports not open to pfsense wan because behind a nat..

    Trying to setup client on own, just use the openvpn export package to get your config for the device your connecting from or even the whole setup and config.