Hi Sai, Yes, from Internet --> pfSense ----> Netscreen ----> Lan, DMZ,
For DMZ internal server, it is still ok to use static route. the traffic can be routed in only using one layer port mapping from PFSENSE instead of two layer of port mapping, however, for LAN, static route is not recommended because of port mapping is still preference for security concern, please correct me if i am wrong My main concern is , i do have one OPENVPN server (IPCOP)sitting after the netscreen firewall which is using port mapping method, the authentication is taken place after going through the netscreen with allow port 1194, let me explain my existing senario and workflow, from Internet --> pfSense ----> Netscreen ----> Cisco core switch 4507R------>VLAN server farm( IPCOP OPEN VPN), it is how my remote user like senior manager, CEO get access to company resource. below is the option for your review, Solution 1) Actually, i am thinking to replace my netscreen firewall to IPCOP( we called it IPCOP A), and migrate the exisiting OPEN VPN policy from the box to IPCOP A, that would be centralize as whole, with the new workflow, from Internet --> pfSense ----> IPCOP A plus OPEN VPN---------> LAN in multi vlan Solution 2) Alternatively, pfSense ----> Netscreen ----> Cisco core switch--------> VLAN server farm( OPENVPN), but it is require two layer of port mapping. Solution 3) Pfsense-------> Pfsense with OPENVPN-------> LAN in multi vlan if i pick the solution 2, that would be easier for the implementation, i still can sustain the netscreen and OPENVPN box and just concentrate on PFSENSE in front end and port mapping, but, what is the impact of two layer of port mapping, the reason is, migrating OPEN VPN policy and replacing a firewall is a nightmare. now, i am struggling to the implementation of PFSENSE because of the impact reflected to the whole network infracstructure, please advice me if i am wrong, Please let me know if i am confusing you, i can explain it in more detail, Thank you. From: CE Ang --- sai <[EMAIL PROTECTED]> wrote: > Internet --> pfSense ----> Netscreen ----> Lan, DMZ > Is this what you mean? > > Yes, this can be done. It means that you do NATting > twice, which is > not good, but it is workable. You just need a new > private subnet > between the pfSense ----> Netscreen > > It might be easier to just replace the Netscreen so > that if something > is messed up you can put the Netscreen back in and > your network works > again. > > sai > > On 1/29/07, AngChorEng <[EMAIL PROTECTED]> > wrote: > > > > > > Hi Sai, > > > > Thanks for your message, i had successfully > installed the PFSENSE with > > lastest snap, thank you. > > > > By the way, do you come cross a solution with two > layer of port mapping via > > two firewall, let me brief you my network > infracstructure, so that, you can > > understand my question, currently, i have one > netscreen firewall as a front > > end box to control all the in/out bound of all the > traffic even port mapping > > to internal server by using pulic IP. the reason > of putting a new box in > > front of netscreen is to provide load balancer and > fail over function with > > two WAN lines, however, initially, I am having > some difficulty of > > implementing the PFSENSE is due to the IP > addressing restructure, in order > > to get it done, i have to step ahead by changing > the outbound netscreen's > > interface to Private IP, until this stage, PFSENSE > becomes the main control > > of inbound port mapping, with this new design, do > u think that is the > > inbound traffic can be routed via two layer of > firewall by port mapping > > method to DMZ and LAN internal server, please > advice, > > > > Sorry for the confusion and long story. please let > me know if you need more > > detail about this, thanks. > > > > > > > > > > From: > > > > CE Ang > > > > > > --- sai <[EMAIL PROTECTED]> wrote: > > > > > the latest snapshots would be here: > > > http://snapshots.pfsense.com/FreeBSD6/RELENG_1/ > > > which have improved > > > the load balancing user interface. > > > > > > On 1/26/07, sai <[EMAIL PROTECTED]> wrote: > > > > the download mirrors are here: > > > > > http://pfsense.com/mirror.php?section=downloads > > > > > > > > a copy of the Live iso is here: > > > > > > > > > > http://pfsense.basis06.com/download//downloads/pfSense-1.0.1-LiveCD-Installer.iso.gz > > > > > > > > md5 of the iso.gz : > > > > > > > > > > http://pfsense.basis06.com/download//downloads/pfSense-1.0.1-LiveCD-Installer.iso.gz.md5 > > > > > > > > I hope that this is what you were asking for > > > > > > > > sai > > > > > > > > On 1/26/07, AngChorEng <[EMAIL PROTECTED]> > > > wrote: > > > > > Hi Scott, > > > > > > > > > > Thanks for your information, sorry for the > same > > > question, do you have any > > > > > source of address in LIVECD.iso download for > my > > > PFSENSE installation, by > > > > > using livecd, it is much straight forward > and > > > able to run it in trial mode > > > > > before installing it to hard-disk. please > > > advice. > > > > > > > > > > Thank you. > > > > > > > > > > > > > > > --- Scott Ullrich <[EMAIL PROTECTED]> > wrote: > > > > > > > > > > > On 1/24/07, AngChorEng > <[EMAIL PROTECTED]> > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Hi Scott, > > > > > > > > > > > > > > Thanks for your information, i will get > the > > > new > > > > > > ISO and reinstall my > > > > > > > pfsense, do u think that can i use this > ISO > > > file > > > > > > as booting from CD and > > > > > > > reinstall the pfsense, in additional to > > > this, > > > > > > would you mind to provide the > > > > > > > instruction guide line for the load > balancer > > > and > > > > > > fail-over configuration. > > > > > > > > > > > > Follow the instructions for booting and > > > installing > > > > > > at > > > > > > > > > > http://doc.pfsense.org/index.php/Installing_pfSense > > > > > > > > > > > > You can find load balancing howto at > > > > > > > > > > http://wiki.pfsense.com/wikka.php?wakka=pfSenseHome > > > > > > > > > > > > Scott > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: > > > > > > [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: > > > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: > > > [EMAIL PROTECTED] > > > For additional commands, e-mail: > > > [EMAIL PROTECTED] > > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > >
