Re: [pfSense] Design Best Practice Question
Bridging will disable firewall and DHCP on modem, this should be expected. If it works, then you’re using it just fine. I have my DMZ hosts like that on a separate network on OPT1 with their own IP range and 1:1 nat rules. It feels more segregated that way to me than the bridging firewall scenario. That would be my inclination on firewall best practices and least privilege blah blah blah. ED. > On 2015, Mar 6, at 4:16 PM, Tim Hogan wrote: > > I am looking for some advice from the group about the best way to put pfSense > in my environment so that it can filter all traffic. The cable provider that > I use has given me a /29 of static IP address and one of those addresses is > assigned to the cable modem. When I asked about putting the modem into > bridging mode I found out that their idea of bridging is to disable the > firewall and DHCP service on the modem. So this is what I have come up with > so far. > > Cable Modem: 70.70.70.94 > pfSense WAN: 70.70.70.93 (also my NAT address for the LAN) > pfSense LAN: 10.100.100.1/24 > pfSense OPT1: bridged to WAN interface, no IP address > > The OPT1 interface is connected to a switch that has the other devices with > the remaining IP address in the 70.70.70.89/29 space and I have the firewall > rules for this space on the WAN interface. It seems to work but I am > wondering if I am using the bridging feature correctly. Any thoughts? > > Thanks, > Tim > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Design Best Practice Question
On Fri, Mar 6, 2015 at 2:16 PM, Tim Hogan wrote: > I am looking for some advice from the group about the best way to put > pfSense in my environment so that it can filter all traffic. The cable > provider that I use has given me a /29 of static IP address and one of > those addresses is assigned to the cable modem. When I asked about putting > the modem into bridging mode I found out that their idea of bridging is to > disable the firewall and DHCP service on the modem. So this is what I have > come up with so far. > > Cable Modem: 70.70.70.94 > pfSense WAN: 70.70.70.93 (also my NAT address for the LAN) > pfSense LAN: 10.100.100.1/24 > pfSense OPT1: bridged to WAN interface, no IP address > > The OPT1 interface is connected to a switch that has the other devices > with the remaining IP address in the 70.70.70.89/29 space and I have the > firewall rules for this space on the WAN interface. It seems to work but I > am wondering if I am using the bridging feature correctly. Any thoughts? > > Thanks, > Tim > > I do not understand the question. Using the bridge feature correctly? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NIC Offloading Setting Questions
On Fri, Mar 6, 2015 at 4:02 PM, Jim Thompson wrote: > Second, none of these were offload-related. > > Third, the config file doesn't overwrite loader.conf.local. > I didn't say they were related; I just said it would be a nice thing if the hardware specific settings were publicly stated on the product pages. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Design Best Practice Question
I am looking for some advice from the group about the best way to put pfSense in my environment so that it can filter all traffic. The cable provider that I use has given me a /29 of static IP address and one of those addresses is assigned to the cable modem. When I asked about putting the modem into bridging mode I found out that their idea of bridging is to disable the firewall and DHCP service on the modem. So this is what I have come up with so far. Cable Modem: 70.70.70.94 pfSense WAN: 70.70.70.93 (also my NAT address for the LAN) pfSense LAN: 10.100.100.1/24 pfSense OPT1: bridged to WAN interface, no IP address The OPT1 interface is connected to a switch that has the other devices with the remaining IP address in the 70.70.70.89/29 space and I have the firewall rules for this space on the WAN interface. It seems to work but I am wondering if I am using the bridging feature correctly. Any thoughts? Thanks, Tim ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] NIC Offloading Setting Questions
> On Mar 6, 2015, at 4:00 AM, Vick Khera wrote: > > >> On Wed, Mar 4, 2015 at 5:08 PM, Jim Thompson wrote: >> > Ah, so I should have asked _before_ ordering the NICs? $;-) >> >> There are many of you, and few of us. > > As a Netgate and pfSense customer, I think it would help *everyone* if you > just posted the "special" settings for the devices you sell. For example, the > NIC settings in loader.con.local, and the options for things like the thermal > sensors and these NIC offloading settings. I now they come pre-configured > with such, but the first thing I do is upload my old config to replace the > old device, and now those settings are unknown to me. Having to look thru > every page to find them before is just a time suck. First, there were some special /boot/loader.conf.local settings in 2.1.x, but I believe the 2.2 factory load uses the same version of this file that the "community" build does. Second, none of these were offload-related. Third, the config file doesn't overwrite loader.conf.local. Jim___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] PF 2.15 Release (AMD64) Gateway Monitoring with OSPF
Good morning all, I currently have a PF VM being used as my core L3 device for a small site. No static routes being used, just OSPF. I have two devices in front of the core sending "default information originate" with varying weights to prefer the faster connection, one for each carrier. I'd like to be able to add a gateway monitor, on the core, without a kernel route being installed as it relegates the OSPF routes useless. It appears that even if I uncheck "default" the kernel route still gets installed. Is this possible? Thanks. -W Wade Blackwell Solutions Architect (D) 805.457.8825 (C) 805.400.8485 (S) coc.wadeblackwell ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Chris L wrote on Fri, Feb 27 2015 at 12:10 pm: > Hopefully the provider can just route the additional subnet to your existing > WAN IP. Then you don’t need to do anything with CARP/HA except make sure > primary and secondary are both set up to deal with the routed traffic. I think sleep deprivation gets worse after 40...due to 1 year old in my case. After I straightened out some things in my head, the above is what we're pursuing with the DC. It will take a /29 block for the WAN (to get 3 IPs) plus a separate block for the "LAN" side. I'm also looking at using one of the unused IPs from the /29 to provide NAT to a separate network on private IPs. -- Thanks all, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
