A pfSense newbie here. I have a configuration question. I understand Cisco PIX configs well enough to describe the goal. I am trying to translate this concept to pfSense. Let me describe my network a little.
This is a typical "belt and suspenders" configuration with dissimilar firewalls for the perimeter and inside firewall. ISP assigned publicly available network: 1.2.3.128/27 DMZ : 192.168.90.0/24 LAN : 192.168.100.0/24 Router inside address: 1.2.3.129 Perimeter Firewall = fw01, outside address = 1.2.3.130 (pfSense) inside address = 192.168.90.1 Inside Firewall = fw02, outside address = 192.168.90.2 (PIX 506e) inside address = 192.168.100.1 This was a very simple and easy install! (once I got a motherboard that would allow me to set the cylinders and sectors on the hard drive) I offer HUGE Kudos to you guys. I wanted FreeBSD and pf, but didn't feel comfortable securing it myself. pfSense IS the perfect answer! I am operational. I have simple NAT setup. I had NOTHING in the DMZ, until now. The current config has been serving us well for several weeks. The following is what I would do using a PIX config to allocate a portion of the block of 32 addresses to be used as publicly available addresses going to servers, and the remainder as addresses set aside for inside users going out. (this config is of course quite stripped down) ---------------------------------------------------------------------------- -- ip address outside 1.2.3.130 255.255.255.224 ip address inside 192.168.90.1 255.255.255.0 access-list public-in permit tcp any host 1.2.3.131 eq smtp access-list public-in permit tcp any host 1.2.3.132 eq https access-group public-in in interface outside nat (inside) 1 192.168.90.0 255.255.255.0 0 0 nat (inside) 2 192.168.100.0 255.255.255.0 0 0 static (inside,outside) 1.2.3.131 192.168.90.131 netmask 255.255.255.255 0 0 static (inside,outside) 1.2.3.132 192.168.90.132 netmask 255.255.255.255 0 0 global (outside) 2 1.2.3.138-1.2.3.150 netmask 255.255.255.224 global (outside) 1 interface route outside 0.0.0.0 0.0.0.0 1.2.3.129 1 route inside 192.168.100.0 255.255.255.0 192.168.90.2 1 ---------------------------------------------------------------------------- -- I setup the 1:1 NAT for the two servers. In each case, I used /32 for the subnet mask. Is this correct? Not only can they not be seen by the outside, they cannot SEE the outside. I figured that the server SHOULD be able to see out since the LAN can. The DMZ got the default rule and I added a rule for the LAN. If I change the IP to any other address on the DMZ, I can see out. But the two 1:1 addresses cannot. I also added a rule specific to them to enable them to see out. No help. I read in one of the m0n0wall docs that the problem is that I need to enable Advanced Outbound NAT. I currently have Enable IPSEC passthru set. My confusion comes when I attempt to Enable Advanced OutBound NAT and then setup the mappings. Even though we are using only two servers today, there will ultimately be 15 publicly used ip address going to servers. DomainA has 7, allocated at the top of the subnet (.131 - 137) and DomainB has 8, allocated at the bottom of the subnet (.151 - .158). This is because there are two different companies on site. They can each grow towards the middle. Is this config possible using pfSense? Any advice? Thanks in advance. Jeff (I am not offended by RTFM when accompanied by appropriate links.) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
