Re: [pfSense Support] Manual Outbound NAT Question
Re: Can you open a bug ticket at http://cvstrac.pfsense.org with specific steps on replicating the problem? --- Yes, I've been working towards producing an MFE (minimal faulty example). Think I have it, (hopefully) just need a final "QA" pass. If that's it, then it looks like it's related to having the TinyDNS package installed. __ Previous message from Chris Buechler on 2008-07-27 at 5:55 PM -0400 -- |On Sat, Jul 26, 2008 at 5:00 AM, Bryan Derman <[EMAIL PROTECTED]> wrote: |> ... |> |> Also, note that even with the reduced/auto-NAT configuration, the issues |> I described in my posting "Loss of webConfigurator access when disabling |> WANs"/2008-07-24 are still present and can be reliably replicated (at |> least with my 2 systems). |> | |Can you open a bug ticket at http://cvstrac.pfsense.org with specific |steps on replicating the problem? -- --- Bryan DermanDerman Enterprises Incorporated http://www.derman.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Manual Outbound NAT Question
Re: There is nothing in your config that requires AON, ... --- You're correct. It was "historical*" and I've now reduced/fixed/tested/deployed the config: Now: http://www.derman.com/Misc/router/pfSenseReduced.html Previously: http://www.derman.com/Misc/router/pfSense.html However, if one _was_ using AON, are the NAT rules applied in the top-to-bottom order they are listed via Firewall -> NAT -> Outbound? Also, note that even with the reduced/auto-NAT configuration, the issues I described in my posting "Loss of webConfigurator access when disabling WANs"/2008-07-24 are still present and can be reliably replicated (at least with my 2 systems). --- *historical: meaning that, at some point, I thought it was necessary for some configuration I have or had -- likely through some lack of understanding on my part __ Previous message from Chris Buechler on 2008-07-24 at 11:28 AM -0400 -- |On Thu, Jul 24, 2008 at 5:27 AM, B Derman <[EMAIL PROTECTED]> wrote: |> QUESTION: |> I've always assumed that Manual Outbound NAT rules are applied in the |> top-to-bottom order they are listed via Firewall -> NAT -> Outbound but, |> given some of the strange routing behaviors I get when I turn off some of |> the WANs, I'm wondering whether that's a valid assumption ... is it/are |> they? | |Why are you using AON? There is nothing in your config that requires |AON, so no need to add complexity by forcing its configuration. -- --- Bryan DermanDerman Enterprises Incorporated http://www.derman.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Two IPs on Lan interface
I've add another IP to the LAN interface by creating an alias on the LAN interface. Via the shell (either use Diagnostics -> Command or login via SSH) issue the applicable ifconfig command: e.g., to create an IP alias of 172.16.1.1 for the LAN where the LAN is on the interface xy0: ifconfig xy0 alias 172.16.1.1/24 e.g., to remove an IP alias of 172.16.1.1 from the LAN where the LAN is on the interface xy0: ifconfig xy0 remove 172.16.1.1 Such a setting will disappear upon reboot, but if you create a script and place it in the directory /usr/local/etc/rc.d it'll get executed at the end of the startup: e.g., create a shell script named /usr/local/etc/rc.d/addLANalias.sh that contains --- #!/bin/sh if test "$1" = "start" then /bin/echo -n 'Adding LAN alias to sk0 ... ' /sbin/ifconfig sk0 alias 172.16.1.1/24 echo 'done' fi --- then issue the commands: /bin/chmod 755 /usr/local/etc/rc.d/addLANalias.sh /usr/sbin/chown root:wheel /usr/local/etc/rc.d/addLANalias.sh /etc/rc.d/* files get executed by /etc/rc via /etc/rc.start_packages at bootup. Hope that helps. FYI, on Thu, 7 Feb 2008 04:36:40 -0800 I wrote to this list and asked --- After searching ..., I've not found anything about the best/correct strategy to use to support multiple LAN subnets on a single LAN port. The Questions = - is using address aliases the correct/optimal/best way to create the WAN aliases? - if using address aliases is *not* the best way, what is? ... --- It appeared that my "WAN" instead of "LAN" typo in the "Questions" section was understood. On Thu, 07 Feb 2008 13:36:28 -0500 Chris Buechler posted the response --- I have a document that describes in detail the steps required to accomplish this, though not accessible right now. You're partially right, partially wrong. I'll put it online somewhere later. --- I never received nor found that document but I've used the alias strategy ever since and not encountered any issues other than the fact that the Status -> Interfaces web page will report the interface alias instead of the one originally configured. I only mention this because there may be a better way to do this (my level of expertise in this area is only enough to make me _real_ dangerous). Specifically, I don't mean to be critical of Chris as I know how easy it is to miss an email, etc. and the web site (and documentation stuff) was also in much transition at that point in time. There's ample evidence of Chris' excellent responses, including to other questions of mine, and I very much appreciate an respect his key involvement and the results. In fact, there's an all-too-small percentage of commercial software products, let alone open-source projects, that have the overall quality that I've seen with pfSense, its support and even it's overall focus and "business." __ Previous message from Matias Surdi on 2008-06-16 at 12:35 PM +0200 -- |Is it possible to add another IP to the LAN interface? | |How must it be done? | |Thanks. -- --- Bryan DermanDerman Enterprises Incorporated http://www.derman.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] Can't Sync TinyDNS over IPsec VPN
We have a pfSense 1.2 setup at 2 offices that maintain an IPsec VPN connection. The systems at each each can ping/access systems at the other end. In addition, systems at each end can ping/ssh-into/web-connnect-to the pfSense systems at both ends. However, while ssh'd into either pfSense system, the other pfSense system can't be ping'd/etc. I'm assuming this is the same reason that TinyDNS can't sync from one of the pFSense systems to the other. Both sides have rules to allow all LAN-based traffic via IPsec tunnel and it works for all LAN-connected systems but not the pfSense system, itself. I've tried everything I can think of but can't seem to get any kind of rule/route specified that'll enable the pfSense system, itself, to communicate to the pfSense system at the other end of its IPsec tunnel. Is there some way to route the pfSense router's LAN interface to the remotely VPN'd pfSense router's LAN interface (i.e., via it's own IPsec tunnel)? -- --- Bryan DermanDerman Enterprises Incorporated http://www.derman.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] TinyDNS package not installing on 1.2 release
/tmp (2008-03-12 @ 18:02:23) admin # cat pkg_mgr_dns-server.log --- Beginning package installation. Downloading package configuration file... ucspi-tcp-0.88_1 Array ( [0] => Requested space: 988 bytes, free space: 22818713600 bytes in /var/tmp/instmp.xjcbDL [1] => tar: Unrecognized archive format: Inappropriate file type or format [2] => pkg_add: tar extract of /tmp/apkg_ucspi-tcp-0.88_1.tbz failed! [3] => pkg_add: unable to extract table of contents file from '/tmp/apkg_ucspi-tcp-0.88_1.tbz' - not a package? [4] => pkg_add: 1 package addition(s) failed ) Package WAS NOT installed properly. --- __ Previous message from Scott Ullrich on 2008-03-12 at 8:07 PM -0400 ------ |On 3/12/08, Bryan Derman wrote: |> On a functioning pfSense 1.2 release, attempting to install the Tiny DNS |> package via the web-based interface yields: |> --- |> Installing dns-server and its dependencies. |> --- |> Downloading package configuration file... done. |> Saving updated package information... done. |> Downloading dns-server and its dependencies... done. |> Checking for successful package installation... failed! |> |> Installation aborted. |> --- |> |> Looks like the following file was downloaded, but that's all: |> /usr/local/pkg/tinydns.xml |> |> On a quick search, I didn't find that it is a reported bug. |> |> Is there something else that I need to know/do/have/sacrifice to some |> deity/etc.? | |Please send the package installation log in /tmp/pkg* | |Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] TinyDNS package not installing on 1.2 release
On a functioning pfSense 1.2 release, attempting to install the Tiny DNS package via the web-based interface yields: --- Installing dns-server and its dependencies. --- Downloading package configuration file... done. Saving updated package information... done. Downloading dns-server and its dependencies... done. Checking for successful package installation... failed! Installation aborted. --- Looks like the following file was downloaded, but that's all: /usr/local/pkg/tinydns.xml On a quick search, I didn't find that it is a reported bug. Is there something else that I need to know/do/have/sacrifice to some deity/etc.? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Message repeating in System Log, can't find the reason
I see how multiple WANs from different providers (assuming they use different link-level sources and/or technology) can provide backup for outgoing access, but I haven't figured out how this can help for incoming access to servers. I.E., let's say I have 2 WAN connections with public IPs; 98.76.54.231 via a cable-based ISP and 123.45.67.89 via DSL-based ISP. Now say I run a web server, www.mydomain.com, that has a DNS-resolvable public IP address of 123.45.67.89 (i.e., the DSL-based WAN). If my DSL-based WAN goes down and pfSense nicely re-routes everything through the cabled-based WAN, how does one (re)route the traffic coming into www.mydomain.com to target the cable-based WAN at 98.76.54.231? The only way I can see of doing this would be to have a DNS server that provides fail-over but, given that DNS servers are highly distributed and employ timed caching, such a fail-over would take considerable time to propagate (likely more time than the typical ISP's outage, or so one would hope?). Is there something I'm missing, here? FYI, for us this is a real problem that I'd like to solve. __ Previous message from Chris Buechler on 2008-03-06 at 4:11 PM -0500 -- |Anil Garg wrote: |> Now that the broadband is very reliable, why would anyone use more |> than one WAN at home. What are the benefits you have seen or desired |> in multiple dhcp wan at home. | |"Very reliable" depends on your provider, your definition of reliable, |and even more, your tolerance for downtime. My tolerance for downtime is |0. I work a significant amount out of my home office, largely on |servers, routers, firewalls, switches, etc. in remote locations where I |must have an Internet connection. My primary 15 Mb cable connection is |down around 4 hours a month on average, and once a year or so for 48+ |hours straight or longer. | |While that's no big deal for your typical residence, it's critical for |me and *always* happens to me at the worst times. When you have clients |that rely on you being accessible to assist any time, the money spent on |the backup DSL connection is well worth it and a relatively |insignificant cost. When I'm doing something critical after hours, I |don't want to be stuck driving into the office or elsewhere with a |working Internet connection at 3 AM to finish the job. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] IPSEC
Re: Why can this not run on the pfsense router itself... --- It could. In fact, that's where I started. However, since the production version of pfSense 1.2 (RC4 at the time) doesn't have curl and since I already have a system that runs various monitoring and log-reporting tasks and since I was in a hurry (excuses, excuses), I opted to do it in a way that'd be the quickest for me, at that time. If curl is available on the development disk (or somewhere) and was installed on the production version, the script could easily be modified (if required) to run on FreeBSD (OS X's roots are FreeBSD + a Mach micro-kernel, IIRC). It's also quite possible that there's an alternative utility that could be used -- I'm not that familiar with FreeBSD. Even better, for someone who's fluent in php, presumably the web-based "API" could be bypassed completely. I had a quick look at doing just that, but it was clear that understanding the flow was going to take me much too long (as much as I would have liked to do so). Another strategy would be to watch the log, detect a failure, then determine whether the remote WAN IP's changed. That would avoid the delay due to the polling interval. FYI, on our network (and in addition to the interval between script runs), the time between the cron-initiated script being run and the VPN being updated with the new IP is about 12 seconds, with the VPN tunnel coming back up only seconds after that. Later ... __ Previous message from Anil Garg on 2008-03-03 at 3:55 PM -0800 -- |Bryan - This is ingenious. Awesome. Why can this not run on the pfsense |router itself as a scheduled task/ cron job. and update the ip address. |Sounds like that would be a simple ping to .dyndns.org. Even if the |ping fails the first line provides the last known IP address for the |dyndns. Which can then be used... | |I will try and study this more but I am sure the greatest and the best |on the forum can solve this in minutes!!! | |Thanks again for the utility. Best Regards -- --- Bryan DermanDerman Enterprises Incorporated http://www.derman.com/
Re: [pfSense Support] IPSEC
Re: --- |It looks like that it needs a public ip address to create a tunnel. I |could try and get public IP address at one place but it looks like it |still will not work because I need public IP address on both sides. --- We use pfSense 1.2 to support a VPN between 2 offices. In our case, one site has a static IP and one has a dynamic IP but the dynamic IP doesn't change very often. Originally I didn't have time to look into the "Mobile Clients" setup (and still wouldn't want to use it because of the reduced security when using aggressive mode). I decided to use the dynamic IP of the other office (i.e., as 'though it was static) and auto-update it, as required. Since we use DynDNS for the other/remote office, I wrote a shell script that checks to determine whether the remote-office's IP has changed and, if it has, updates pfSense's VPN IPSec setup to reflect that change. In our case, the script is run via cron every few minutes and that's sufficient, for us. The shell script uses fairly common UNIX tools (curl, sed, etc.) to interact with pfSense via its web pages. While it might have been nicer to do this on the router, it wasn't obvious how to do so (I'm not fluent in php) and I didn't have much time to play. In case anyone else might find this useful, a PDF of the (sanitized) VPN IPSec setup and the (commented) shell script can be downloaded via http://www.derman.com/Download/Special/UpdateRemoteGateway.zip It'll be nicer when pfSense 1.3 makes this obsolete. #;-) __ Original message from Anil Garg on 2008-02-27 at 7:51 PM -0800 -- |Hey guys - I am a happy camper with pfsense and recently upgraded to 1.2 |and have no issues to report so far. | |I am trying to hook up two pfsense boxes with IPSEC site to site | |It looks like that it needs a public ip address to create a tunnel. I |could try and get public IP address at one place but it looks like it |still will not work because I need public IP address on both sides. | |Have looked at all documents and spent many hours without avail... | |Will some of you learned people suggest a way out.. I can only get a |Public IP address at one location and I am happy to do pay for that. |But the second location being a AT&T DSL in San Jose, CA - this is not |an option,. | |Much appreciate your help and guidance. | |Best Regards |Anil Garg
Re: [pfSense Support] Strategy for Multiple-Subnet LAN on Single Port
Didn't receive and can't seem to find the document mentioned: --- Chris Buechler wrote: |For the few scenarios where this makes sense, I'll send the document |described earlier when I get home later. --- Is there a URL for this? __ Previous message from Chris Buechler on 2008-02-07 at 5:28 PM -0500 ------ |Bryan Derman wrote: |> Thanks, but VLANs are not an option due to other hardware/switch |> limitations. |> |> Having only a basic understanding of VLANs, I'm also not sure how that |> would apply (but would be happy to learn) since the underlying |> objective is to have pfSense support multiple LAN subnets (in this |> case, 3) on a single port -- ideally using the web-based interface for |> setup. This is all to avoid having to setup 3 different routers or |> put more NICs into the system running pfSense. | |Normally this is a bad practice, putting multiple IP subnets on the same |broadcast domain. There are situations where it makes sense, but you |usually want to avoid this. VLANs with VLAN capable switches or multiple |interfaces and multiple switches is the proper way to do this. | |For the few scenarios where this makes sense, I'll send the document |described earlier when I get home later. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Strategy for Multiple-Subnet LAN on Single Port
Thanks, but VLANs are not an option due to other hardware/switch limitations. Having only a basic understanding of VLANs, I'm also not sure how that would apply (but would be happy to learn) since the underlying objective is to have pfSense support multiple LAN subnets (in this case, 3) on a single port -- ideally using the web-based interface for setup. This is all to avoid having to setup 3 different routers or put more NICs into the system running pfSense. Narrower version of original diagram included, below ... so it doesn't wrap 'n jumble [du-oh!] __ Previous message from Sean Cavanaugh on 2008-02-07 at 10:58 AM -0500 -- |set the LAN interface to use VLANs? | |-Sean | | |> Date: Thu, 7 Feb 2008 04:36:40 -0800 |> To: support@pfsense.com |> From: [EMAIL PROTECTED] |> Subject: [pfSense Support] Strategy for Multiple-Subnet LAN on Single Port |> |> After searching the archives, the forum and conferring with Mr. Google, |> I've not found anything about the best/correct strategy to use to support |> multiple LAN subnets on a single LAN port. |> |> The Questions |> = |> - is using address aliases the correct/optimal/best way to create the WAN |> aliases? |> |> - if using address aliases is *not* the best way, what is? |> |> - if using address aliases *is* the best way, I assume that the commands |> should be entered in a /etc/rc script: |> |> * if a /etc/rc script is the right way, what's the rc processing flow |> on FreeBSD ... i.e., usually there's a standard script naming that will |> automatically cause it to get included in the startup processing ... what |> is it on this *NIX? |> |> * if a /etc/rc script isn't the right way, what is (I'm not familiar |> with pearl or php but am very comfortable with shell scripting)? |> |> - are there any problems with the overall approach we're using, here? |> |> TIA |> |> Background Info |> === |> Graphically, we have (all addresses are "made up", LAN switches omitted) |> ... view in mono-spaced font: |> |Aliased IPs: Ultimately Mapped As: |+--+ 172.16.1.50 WAN : domain1.com : 4.4.8.4 || | 172.16.2.50 WAN2: domain2.com : 4.4.16.4 || | 172.16.3.50 WAN3: domain3.com : 4.4.32.4 ||Server|---+WAN4.4.8.4 || | | +--+ +---+domain1.com || | | 172.16.1.1| | |4.4.8.4| +-+ +--- |+--+ | 172.16.2.1| |-+ +-| | | | | 172.16.3.1| |WAN2 | | +---+ |domain2.com |+==+===+===|pfSnse|---|Swtch|-|DSL|-+ || | |1.2RC4| 4.4.16.4 | | +---| | 4.4.16.4 |+-+ +-+ | |-+ +-| | | || Mac | | PC | | | | WAN3 | +-| +--- |+-+ +-+ +--+ +---+domain3.com |172.16.1.10 172.16.1.204.4.32.4 4.4.32.4 |> |> |> Being 2 small offices, our pfSense setup and requirements are relatively |> simple: |> |> - we have a single LAN port and 3 WAN ports for 3 DHCP-assigned static |> public IP addresses |> |> - since the DHCP assignment relies on a MAC address, we have the "normal" |> WAN port plus WAN2 and WAN3 (i.e., OPT1 and OPT2) |> |> - Outbound NAT is set to "Automatic outbound NAT rule generation (IPsec |> passthrough)" |> |> - all 3 WANs have ports mapped onto a LAN-resident server that supports |> the web serving for the 3 different domain names via virtual hosts based |> upon IP:port binding using the 3 different subnets (the server's single |> port is aliased to reside on the 3 subnets) |> |> - the WAN port is the only one that sees any "general" LAN-resident |> traffic (i.e., other than the traffic that's mapped to/from the server) |> and the WAN2/WAN3 ports only see/allow traffic that's mapped onto the |> LAN-resident server |> |> - I split our DNS services for private/public address access so NAT |> reflection is not an issue (being a development shop, we have multiple |> internal-only servers as well) |> |> - we have a second basic LAN/WAN-only pfSense at another office with an |> IPSec tunnel running and we have PPTP configured |> |> What's Been Done |> |> What I've done is simply added address aliases on the otherwise |> 172.16.1.1 LAN port via |> ifconfig sk0 alias 172.16.2.1/24 |> ifconfig sk0 alias 172.16.3.1/24 |> (the Web interface then reports it as the last-added alias) |> |> The only rules are: |> |> - Port Forward: for each of WAN/WAN2/WAN3, allow incoming HTTP/HTTPS ... |> e.g.: |> allow TCP to port 80 on WAN2/4.4.16.4/domain2.com into 172.16.2.50 port 80 |> |> - Firewall Rules: for each of WAN/WAN2/WAN3, allow inbound HTTP/HTTPS ... |> e.g.: |> allow TCP from any IP on any port in via |> gateway/WAN2/4.4.16.4/domain2.com to 172.16.2.50 port 8
Re: [pfSense Support] Strategy for Multiple-Subnet LAN on Single Port
Thanks Chris, I'd appreciate that. If you want ping me via http://www.derman.com/Contact/AboutUs-Contacts.jsp I'll send you an email address, if that would make it easier. Narrower version of original diagram included, below ... so it doesn't wrap 'n jumble [du-oh!] __ Previous message from Chris Buechler on 2008-02-07 at 1:36 PM -0500 -- |I have a document that describes in detail the steps required to |accomplish this, though not accessible right now. You're partially |right, partially wrong. I'll put it online somewhere later. | |Bryan Derman wrote: |> After searching the archives, the forum and conferring with Mr. Google, |> I've not found anything about the best/correct strategy to use to support |> multiple LAN subnets on a single LAN port. |> |> The Questions |> = |> - is using address aliases the correct/optimal/best way to create the WAN |> aliases? |> |> - if using address aliases is *not* the best way, what is? |> |> - if using address aliases *is* the best way, I assume that the commands |> should be entered in a /etc/rc script: |> |> * if a /etc/rc script is the right way, what's the rc processing flow |> on FreeBSD ... i.e., usually there's a standard script naming that will |> automatically cause it to get included in the startup processing ... what |> is it on this *NIX? |> |> * if a /etc/rc script isn't the right way, what is (I'm not familiar |> with pearl or php but am very comfortable with shell scripting)? |> |> - are there any problems with the overall approach we're using, here? |> |> TIA |> |> Background Info |> === |> Graphically, we have (all addresses are "made up", LAN switches omitted) |> ... view in mono-spaced font: |> Aliased IPs: Ultimately Mapped As: +--+ 172.16.1.50 WAN : domain1.com : 4.4.8.4 | | 172.16.2.50 WAN2: domain2.com : 4.4.16.4 | | 172.16.3.50 WAN3: domain3.com : 4.4.32.4 |Server|---+WAN4.4.8.4 | | | +--+ +---+domain1.com | | | 172.16.1.1| | |4.4.8.4| +-+ +--- +--+ | 172.16.2.1| |-+ +-| | | | 172.16.3.1| |WAN2 | | +---+ |domain2.com +==+===+===|pfSnse|---|Swtch|-|DSL|-+ | | |1.2RC4| 4.4.16.4 | | +---| | 4.4.16.4 +-+ +-+ | |-+ +-| | | | Mac | | PC | | | | WAN3 | +-| +--- +-+ +-+ +--+ +---+domain3.com 172.16.1.10 172.16.1.204.4.32.4 4.4.32.4 |> |> |> Being 2 small offices, our pfSense setup and requirements are relatively |> simple: |> |> - we have a single LAN port and 3 WAN ports for 3 DHCP-assigned static |> public IP addresses |> |> - since the DHCP assignment relies on a MAC address, we have the "normal" |> WAN port plus WAN2 and WAN3 (i.e., OPT1 and OPT2) |> |> - Outbound NAT is set to "Automatic outbound NAT rule generation (IPsec |> passthrough)" |> |> - all 3 WANs have ports mapped onto a LAN-resident server that supports |> the web serving for the 3 different domain names via virtual hosts based |> upon IP:port binding using the 3 different subnets (the server's single |> port is aliased to reside on the 3 subnets) |> |> - the WAN port is the only one that sees any "general" LAN-resident |> traffic (i.e., other than the traffic that's mapped to/from the server) |> and the WAN2/WAN3 ports only see/allow traffic that's mapped onto the |> LAN-resident server |> |> - I split our DNS services for private/public address access so NAT |> reflection is not an issue (being a development shop, we have multiple |> internal-only servers as well) |> |> - we have a second basic LAN/WAN-only pfSense at another office with an |> IPSec tunnel running and we have PPTP configured |> |> What's Been Done |> |> What I've done is simply added address aliases on the otherwise |> 172.16.1.1 LAN port via |> ifconfig sk0 alias 172.16.2.1/24 |> ifconfig sk0 alias 172.16.3.1/24 |> (the Web interface then reports it as the last-added alias) |> |> The only rules are: |> |> - Port Forward: for each of WAN/WAN2/WAN3, allow incoming HTTP/HTTPS ... |> e.g.: |> allow TCP to port 80 on WAN2/4.4.16.4/domain2.com into 172.16.2.50 port 80 |> |> - Firewall Rules: for each of WAN/WAN2/WAN3, allow inbound HTTP/HTTPS ... |> e.g.: |> allow TCP from any IP on any port in via |>
[pfSense Support] Strategy for Multiple-Subnet LAN on Single Port
After searching the archives, the forum and conferring with Mr. Google, I've not found anything about the best/correct strategy to use to support multiple LAN subnets on a single LAN port. The Questions = - is using address aliases the correct/optimal/best way to create the WAN aliases? - if using address aliases is *not* the best way, what is? - if using address aliases *is* the best way, I assume that the commands should be entered in a /etc/rc script: * if a /etc/rc script is the right way, what's the rc processing flow on FreeBSD ... i.e., usually there's a standard script naming that will automatically cause it to get included in the startup processing ... what is it on this *NIX? * if a /etc/rc script isn't the right way, what is (I'm not familiar with pearl or php but am very comfortable with shell scripting)? - are there any problems with the overall approach we're using, here? TIA Background Info === Graphically, we have (all addresses are "made up", LAN switches omitted) ... view in mono-spaced font: Aliased IPs: Ultimately Mapped To: +--+ 172.16.1.50 WAN : domain1.com | | 172.16.2.50 WAN2: domain2.com | | 172.16.3.50 WAN3: domain3.com |Server|+ WAN |4.4.8.4 | || +---+ +---+ |domain1.com | || 172.16.1.1| | | 4.4.8.4 | +--+ |+ +--+| 172.16.2.1| |--+ +--| | | | 172.16.3.1| | WAN2 | | +---+ | domain2.com +===+===+=|pfSense|--+--|Switch|--|DSL|--+ | | | 1.2RC4| 4.4.16.4| | +---| | 4.4.16.4 +-+ +-+ | |---+ +--| | | | Mac | | PC | | | | WAN3 | +--| + +-+ +-+ +---+ +--+ domain3.com 172.16.1.100 172.16.1.200 4.4.32.4 4.4.32.4 Being 2 small offices, our pfSense setup and requirements are relatively simple: - we have a single LAN port and 3 WAN ports for 3 DHCP-assigned static public IP addresses - since the DHCP assignment relies on a MAC address, we have the "normal" WAN port plus WAN2 and WAN3 (i.e., OPT1 and OPT2) - Outbound NAT is set to "Automatic outbound NAT rule generation (IPsec passthrough)" - all 3 WANs have ports mapped onto a LAN-resident server that supports the web serving for the 3 different domain names via virtual hosts based upon IP:port binding using the 3 different subnets (the server's single port is aliased to reside on the 3 subnets) - the WAN port is the only one that sees any "general" LAN-resident traffic (i.e., other than the traffic that's mapped to/from the server) and the WAN2/WAN3 ports only see/allow traffic that's mapped onto the LAN-resident server - I split our DNS services for private/public address access so NAT reflection is not an issue (being a development shop, we have multiple internal-only servers as well) - we have a second basic LAN/WAN-only pfSense at another office with an IPSec tunnel running and we have PPTP configured What's Been Done What I've done is simply added address aliases on the otherwise 172.16.1.1 LAN port via ifconfig sk0 alias 172.16.2.1/24 ifconfig sk0 alias 172.16.3.1/24 (the Web interface then reports it as the last-added alias) The only rules are: - Port Forward: for each of WAN/WAN2/WAN3, allow incoming HTTP/HTTPS ... e.g.: allow TCP to port 80 on WAN2/4.4.16.4/domain2.com into 172.16.2.50 port 80 - Firewall Rules: for each of WAN/WAN2/WAN3, allow inbound HTTP/HTTPS ... e.g.: allow TCP from any IP on any port in via gateway/WAN2/4.4.16.4/domain2.com to 172.16.2.50 port 80 - Firewall Rules: for each of the LAN subnets, allow all out via the mapped WAN/gateway ... e.g.: allow any protocol from 172.16.2.0/24 on any port to any destination out on any port via gateway/WAN2/4.4.16.4/domain2.com (this could be more restrictive for WAN2 & WAN3) This all seems to work quite well but I need to automate the aliasing, if that's the end solution. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
