Re: [pfSense Support] Splitting a /24 into multiple subnets
On Mon, May 23, 2011 at 02:25:26PM -0700, Tim Dickson wrote: > > Now I'm trying to segment the /24 into 4 subnets with the pfSense > > interfaces being: > > It sounds easy enough - but may be because I'm not understanding exactly what > you want. > But the simplest method I could come up with would be to setup your WAN to > accept every > IP your ISP routes to you, then do 1:1 to each internal network you need. So you basically pick the largest subnet containing all your networks, and put that on the WAN interface? > Create each internal network on a separate interface (either physical or VLAN) > Then set the RULES inbound on your WAN interface as needed. > That allows you to do any routing you want between interfaces / WAN and gives > you granular control of everything. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Splitting a /24 into multiple subnets
On Mon, May 23, 2011 at 4:14 PM, Andreas Kaiser wrote: >> That allows you to do any routing you want between interfaces / WAN and >> gives you granular control of everything. > > *That* is exactly what I want ;-) Have you turned off automatic outbound NAT and disabled or deleted all the automatically created rules for every interface that has a part of the /24 public subnet? db - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Splitting a /24 into multiple subnets
Am 23.05.2011 um 23:25 schrieb Tim Dickson: >> Now I'm trying to segment the /24 into 4 subnets with the pfSense interfaces >> being: > > It sounds easy enough Maybe for you… ;-) > - but may be because I'm not understanding exactly what you want. > But the simplest method I could come up with would be to setup your WAN to > accept every IP your ISP routes to you, then do 1:1 to each internal network > you need. Does that mean configuring 1. a virtual IP of type "Proxy ARP" on the WAN interface for "IP Address(es)" of type "Network" with value "1.2.3.0/24" under "Firewall: Virtual IP Address: Edit" 2. one NAT 1:1 entry for each of the desired subnets under "Firewall: NAT: 1:1: Edit", i.e. - external: 1.2.3.1, internal 1.2.3.1/26, NAT reflection disable - external: 1.2.3.129, internal 1.2.3.129/26, NAT reflection disable ? > Create each internal network on a separate interface (either physical or VLAN) I did that already. > Then set the RULES inbound on your WAN interface as needed. Would I still be able to filter traffic originating from LAN/OPT1 on their respective firewall ruleset? > That allows you to do any routing you want between interfaces / WAN and gives > you granular control of everything. *That* is exactly what I want ;-) Thanks a lot, Andreas - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Splitting a /24 into multiple subnets
> Now I'm trying to segment the /24 into 4 subnets with the pfSense interfaces > being: It sounds easy enough - but may be because I'm not understanding exactly what you want. But the simplest method I could come up with would be to setup your WAN to accept every IP your ISP routes to you, then do 1:1 to each internal network you need. Create each internal network on a separate interface (either physical or VLAN) Then set the RULES inbound on your WAN interface as needed. That allows you to do any routing you want between interfaces / WAN and gives you granular control of everything. -Tim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] Splitting a /24 into multiple subnets
Hi all, first: I'm not really a network guy, but thanks to pfSense was able to some advanced (at least by my measures) stuff by myself - until now... So please be patient with me. A Vmware host machine has 1 NIC and uses 1 public IP itself. A second public IP (say 4.3.2.17/32) is used for the pfSense VM's WAN interface. The provider is routing a /24 (say 1.2.3.0/24) on that second IP. If I configure pfSense's LAN to 1.2.3.1/24 everything works as expected. Now I'm trying to segment the /24 into 4 subnets with the pfSense interfaces being: - 1.2.3.1/26 LAN, connected to Vmware vSwitch1 used as the VMs' primary IPs - 1.2.3.129/25 OPT1, connected to Vmware vSwitch2 to be used for SSL sites The remaining segments shall be used later for various VPNs (1.2.3.64/27, 1.2.3.96/28, 1.2.3.112/28). Several Linux webserver VMs have 2 NICs each, connected to vSwitch1 on eth0 and vSwitch2 on eth1. I've successfully configured pfSense to: - do everything related to 1.2.3.0/26 from the pfSense box itself as well as from any host on the internet - being able to reach pfSense's 1.2.3.129/25 interface from the pfSense box itself and from the internet - being able to reach the machines in the 1.2.3.128/25 from the pfSense box itself I'm currently failing in reaching any of the VMs via their interfaces connected to the 1.2.3.128/25. I've configured firewall rules to allow ICMP echo requests as well as TCP ports 80 and 443 for destinations in that subnet on the WAN interface. I can see that traffic is blocked when I disable these rules and is passed if I leave them enabled. If I do an HTTP request, I see CLOSED:SYN_SENT/SYN_SENT:CLOSED in pfSense's "Diagnostics: Show States". If i do an HTTP request on an IP in the 1.2.3.0/26, everthing is fine and I see "FIN_WAIT_2:FIN_WAIT_2" in the states table. Any pointers (especially RTFMs with URLs or page numbers from "the book") on what I'm missing are greatly appreciated. TIA, Andreas - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] NAT Reflection Broken in recent builds
On 5/23/2011 4:41 AM, Dimitri Rodis wrote: > nc: getaddrinfo: hostname nor servname provided, or not known What does your /var/etc/inetd.conf file look like on the working system and the broken system? > So yesterday I went ahead and told the thing to just upgrade to the > latest build hoping that the problem would be resolved (the latest build > showed RC2—yay), but it was not fixed, so I have reverted to my previous > CF card which has the following build in which reflection seems to work > properly for me (except for reflection on 1:1 which has always been > flaky for me, but the websites/SMTP servers work flawlessly) I'm not sure I've ever had 1:1 reflection work for me, but I haven't tried it often. It uses a much different method than the port forwards do. > I can still potentially access anything on the newer build for > debugging/troubleshooting purposes if someone needs it since I have a > spare unit that I can boot the CF on.. The inetd.conf comparison would really help. It sounds like something is missing from the nc lines on one of the files. Also, do you have any packages installed? Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] VIP bandwidth usage monitoring
Hi, I am on pfSense 2.0-RC1 (i386). Is there a way to measure or graph the bandwidth usage of the VIPs or the bandwidth of the Virtual Servers configured in Load Balancer? I need this because I need to find out which website(s) are eating up the most bandwidth. ShiB. while ( ! ( succeed = try() ) );
[pfSense Support] NAT Reflection Broken in recent builds
Just put a new FW in production a day and a half/two days ago (it was a few days old from a fresh flash to CF.. pfSense-2.0-RC1-2g-i386-20110519-1115-nanobsd.img) and I got the following message in a browser when folks were trying to hit sites hosted internally using NAT reflection: nc: getaddrinfo: hostname nor servname provided, or not known So yesterday I went ahead and told the thing to just upgrade to the latest build hoping that the problem would be resolved (the latest build showed RC2-yay), but it was not fixed, so I have reverted to my previous CF card which has the following build in which reflection seems to work properly for me (except for reflection on 1:1 which has always been flaky for me, but the websites/SMTP servers work flawlessly) 2.0-RC1 (i386) built on Mon Mar 14 17:33:11 EDT 2011 I can still potentially access anything on the newer build for debugging/troubleshooting purposes if someone needs it since I have a spare unit that I can boot the CF on.. Thanks, Dimitri Rodis Integrita Systems LLC http://www.integritasystems.com