Re: [pfSense] secure management access on transparent bridge firewall
Thank you Chris !! I will try this as soon as I can and give feedback !! Regards Richard On 2014-12-08 16:38, Chris L wrote: No have a management VLAN that’s protected from user traffic but that the management interfaces listen on. I don’t know if the TP-Link or other cheaper gear will support a management VLAN. The VPN you use could have access to that VLAN as well. It makes it so user traffic cannot “hit” the management ports. For instance. Create a VLAN tagged interface, say em0_vlan199 Create a VLAN tagged interface for the LAN side of your transparent proxy, say 100. You would then bridge WAN with em0_vlan100 instead of with em0. Assign a management interface to em0_vlan_199. Give it an IP, dhcp, etc. connect your switches to pfSense with trunk ports with tagged VLANs 100 and 199. Set the switches to management VLAN 199, create a vlan interface with an IP address in the right network. Make sure your bridge has: Block any source BRIDGE0 net dest MGMT net Block any source BRIDGE0 net dest (all pfsense IP addresses) port webmgmt and ssh ports etc... On Dec 8, 2014, at 11:10 AM, Richard Lussier wrote: Hi Chris, Do you mean to redirect the vpn to the management vlan ? Thank you Richard On 2014-12-08 13:12, Chris L wrote: Management VLAN. On Dec 8, 2014, at 9:08 AM, Richard Lussier wrote: Hi, We are providing Internet access to coop housing (50 units) We have a transit access to the exchange via Fiber and a /26 public IPV4 addresses. I purchased a Netgate C2758 router to be able to do limiter and traffic shaping at rush hour. I did set-up a transparent bridge and everything works fine so far. This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600 wireless router with static address. I need to secure the management interface to the pfSense and to the switches. I could make a rule to let access only to a fixed IP source, but I travel a lot and need flexibility. The best for me would be on openvpn. Is this possible without a lan ? , or ? Thank you, Richard ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Richard Lussier inter-node.com réseaux numériques évolutifs cuivre – sans-fil – fibre optique t. 514.316.1623 c. 514.574.5111 -- Richard Lussier *inter-node.com* réseaux numériques évolutifs cuivre – sans-fil – fibre optique t. 514.316.1623 c. 514.574.5111 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] secure management access on transparent bridge firewall
I think what he means is to set up an isolated management VLAN, then you VPN into your pfSense box and get access to the management VLAN. -A On Mon, Dec 8, 2014 at 11:10 AM, Richard Lussier wrote: > Hi Chris, > > Do you mean to redirect the vpn to the management vlan ? > > Thank you > > Richard > > On 2014-12-08 13:12, Chris L wrote: > > Management VLAN. > > On Dec 8, 2014, at 9:08 AM, Richard Lussier > wrote: > > Hi, > > We are providing Internet access to coop housing (50 units) > We have a transit access to the exchange via Fiber and a /26 public IPV4 > addresses. > > I purchased a Netgate C2758 router to be able to do limiter and traffic > shaping at rush hour. > I did set-up a transparent bridge and everything works fine so far. > This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600 > wireless router with static address. > > I need to secure the management interface to the pfSense and to the > switches. > I could make a rule to let access only to a fixed IP source, but I travel a > lot and need flexibility. > The best for me would be on openvpn. > Is this possible without a lan ? , or ? > > Thank you, > > Richard > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list > > > -- > > Richard Lussier > inter-node.com > réseaux numériques évolutifs > cuivre – sans-fil – fibre optique > t. 514.316.1623 > c. 514.574.5111 > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] secure management access on transparent bridge firewall
Hi Chris, Do you mean to redirect the vpn to the management vlan ? Thank you Richard On 2014-12-08 13:12, Chris L wrote: Management VLAN. On Dec 8, 2014, at 9:08 AM, Richard Lussier wrote: Hi, We are providing Internet access to coop housing (50 units) We have a transit access to the exchange via Fiber and a /26 public IPV4 addresses. I purchased a Netgate C2758 router to be able to do limiter and traffic shaping at rush hour. I did set-up a transparent bridge and everything works fine so far. This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600 wireless router with static address. I need to secure the management interface to the pfSense and to the switches. I could make a rule to let access only to a fixed IP source, but I travel a lot and need flexibility. The best for me would be on openvpn. Is this possible without a lan ? , or ? Thank you, Richard ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Richard Lussier *inter-node.com* réseaux numériques évolutifs cuivre – sans-fil – fibre optique t. 514.316.1623 c. 514.574.5111 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] secure management access on transparent bridge firewall
Management VLAN. On Dec 8, 2014, at 9:08 AM, Richard Lussier wrote: > Hi, > > We are providing Internet access to coop housing (50 units) > We have a transit access to the exchange via Fiber and a /26 public IPV4 > addresses. > > I purchased a Netgate C2758 router to be able to do limiter and traffic > shaping at rush hour. > I did set-up a transparent bridge and everything works fine so far. > This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600 > wireless router with static address. > > I need to secure the management interface to the pfSense and to the switches. > I could make a rule to let access only to a fixed IP source, but I travel a > lot and need flexibility. > The best for me would be on openvpn. > Is this possible without a lan ? , or ? > > Thank you, > > Richard > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
[pfSense] secure management access on transparent bridge firewall
Hi, We are providing Internet access to coop housing (50 units) We have a transit access to the exchange via Fiber and a /26 public IPV4 addresses. I purchased a Netgate C2758 router to be able to do limiter and traffic shaping at rush hour. I did set-up a transparent bridge and everything works fine so far. This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600 wireless router with static address. I need to secure the management interface to the pfSense and to the switches. I could make a rule to let access only to a fixed IP source, but I travel a lot and need flexibility. The best for me would be on openvpn. Is this possible without a lan ? , or ? Thank you, Richard ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
