General Setup Questions
-
There are 2 solutions to what you want:
You create VIP's and 1:1 NAT each VIP to a server.
Outbound traffic from the 1:1 NATed server will now appear as if from the VIP.
The downside is you cannot use this VIP for something else.The second solution and in my opinion the better one is:
You create normal NAT forwardings from the VIP's to your servers.
After that enable advanced outbound NAT and you can specify which source should be NATed to what IP.
Like this you can define that server x,y, and z should appear from VIP a and all the rest from VIP bI assume you didn't read my post before replying with this info :)
To be safe, what I did now is the following :
Create a virtual ip : 80.x.x.10 (WAN / Single address and Proxy Arp)
Go to NAT and create a ordinary Port Forward from external address : (the virtual ip i created above) to the NAT/Internal IP.
This works perfectly for two clients which are in the lab with the 3389 port (remote desktop).
Is the above procedure ok? Or would you advise to use advanced NAT instead of auto? I assume advanced nat requires allot more maintanaince?
Or is it more of a security risk to have auto nat on?
-
Yes i just wrote while you posted.
What you did works.
But like this traffic originating FROM the server will still appear as if from your main WAN.Advanced outbound NAT is not more or less secure than autogenerated NAT.
It just gives you the possibility to create your own rules. -
NAT has nothing to do with your network security because the NATed routes are firewalled anyway, only your rules matter. (could be a good catch phrase for pfsense)
-
Yes i just wrote while you posted.
What you did works.
But like this traffic originating FROM the server will still appear as if from your main WAN.Our current firewall solution does the same. I've not had any issue's with that really, but certain software did have to connect to our gateway/fw ip and not the specific server to communicate properly (our zabbix server monitoring package for example).
Is it possible to have the server not appear to be communicating from it's wan but from it's own ip? just for several servers (like our mail?) i would assume it to be better to have our mail server not communicate to the outside with the gateway ip and not it's own.
Would I have to turn on advanced NAT just for these two servers? Others don't really matter.
-
Im just guessing here as I never needed this before but I think you can achieve this by tweaking the outbound NAT and the corresponding rules. If not then another interface is the lazy way.
-
Also I'm missing the ability to set a LOCAL dns server and a external dns (I have them separate for security/maintanaince reasons).
general setup gives me the option to add two. The option below that is only for dhcp wan, I have a static wan..
Anybody know if this is possible? Set a different external dns server for the WAN when a static ip is selected?
See the above quote..Obviously now I have to start slowly closing and locking down the firewall as much as possible.
What's the best method? Block all rule? and above that create the allow rules for specific ports and protocols only?
Anybody have any suggestions on the above question?
-
Also I'm missing the ability to set a LOCAL dns server and a external dns (I have them separate for security/maintanaince reasons).
general setup gives me the option to add two. The option below that is only for dhcp wan, I have a static wan..
Anybody know if this is possible? Set a different external dns server for the WAN when a static ip is selected?
See the above quote..I dont really understand what you mean with setting a different dns server for the WAN when a static IP is selected.
You mean you want to set the DNS server manually when you set a static IP on the WAN?The option on the general setup field is exactly that.
Static DNS entries for a static WAN IP.The checkbox below only allows these static entries to be overridden IF your WAN is dynamic.
Obviously now I have to start slowly closing and locking down the firewall as much as possible.
What's the best method? Block all rule? and above that create the allow rules for specific ports and protocols only?
Anybody have any suggestions on the above question?
http://forum.pfsense.org/index.php/topic,7001.0.html
Read the rules part -
Our other firewall allows me to configure a internal dns server for our domain/lan and a DNS server for the wan connection.
This way clients (internaly) can resolve hostnames and websites through the local dns server (active directory intergrated) and all other traffic outside is resolved and setup by our external dns server (not active directory intergrated).
If I set the internal dns server in those dns boxes, it wouldn't be able to resolve websites anymore would it? Or would it just use the root hints and settings from our internal server instead?
Would be better to have separate dns server sfor internaly and externaly, but not sure if this is possible with the pfsense
-
Just set the DNS in your DHCP settings as usual, you never set the internal DNS on a gateway for your local clients but on the client themselves.
-
Good point. What do you suggest to use the internal dns server or the wan dns server from the isp (even though it's static)
Obviously the dns servers from the wan don't allow me to edit stuff so it would be better to use the internal dns here I suppose?
-
If you configure your clients to use pfSense as DNS, you can configure the DNS forwarder accordingly.
I assume you have a domain for your network.On the DNS forwarder-config page is the part:
Below you can override an entire domain by specifying an authoritative dns server to be queried for that domain.
So you could set your internal DNS for your own domain.