Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - viragomann

Pages: [1] 2 3 4 5 ... 180
1
OpenVPN / Re: Cannot ping or access remote network
« on: Today at 04:49:35 am »
The pfSense boxes have to be the default upstream gateway on both sites.
If that is not given you need either a static route for the remote network on each device which should communicate with it or youmust nat the packets on pfSense.

2
OpenVPN / Re: Cannot ping or access remote network
« on: Yesterday at 05:10:59 am »
In the datacenter OpenVPN config you have to set office network (192.168.1.0/24) in the "Remote networks" field.
The local datacenter network makes no sense here.

3
Routing and Multi WAN / Re: Setup secondary IP's for WAN interface
« on: Yesterday at 03:36:28 am »
No man, not that Alias! That sets only an alias name for one or multiple IPs, but doesn't assign the IP to the interface.

Go to Firewall > Virtual IPs.Here you can add virtual IPs to interfaces.
Select type "IP Alias", select the WAN interface and enter one of your additional public IPs and the mask and save it. Add the second one in the same way.

4
Routing and Multi WAN / Re: Setup secondary IP's for WAN interface
« on: February 22, 2018, 05:27:55 pm »
The IPs should only be add as type "IP Alias" to the WAN interface.

Clients in the Internet will use these IPs to establish connection to your services. So in the NAT rule, when WAN interface is selected, you can choose the VIPs from the drop-town at destination instead of the WAN address.

5
Routing and Multi WAN / Re: Setup secondary IP's for WAN interface
« on: February 22, 2018, 03:54:06 pm »
You must add each of them as IP Alias.

After that you can select them from the destination drop-town when you add port forwarding rule.

In firewall rules you have to use internal addresses in the destination field.

6
Deutsch / Re: VPN SiteToSite OpenVPN virtuelle IP durch den Tunnel
« on: February 22, 2018, 01:54:14 pm »
Nein, das setzt nur die Route von B zu A. Die von A zum Fremdrouter musst du als statische Route setzen, das hat nichts mit VPN zu tun.

In System > Routing > Gateway ist die A-seitige IP des Fremdrouters als Gateway anzulegen und dann am Tab Static Routes eine Route für das Netz 10.4.x.x und die Fremdrouter IP als Gateway setzen.

7
Deutsch / Re: VPN SiteToSite OpenVPN virtuelle IP durch den Tunnel
« on: February 22, 2018, 01:43:13 pm »
Diese Zwischenzeilen verstehe ich auch nicht.

Aber da fehlt offenbar noch die Route zum 10.44.x.x Netz. Diese muss auf der pfSense A als statische Route eingetragen werden.

8
Deutsch / Re: VPN SiteToSite OpenVPN virtuelle IP durch den Tunnel
« on: February 22, 2018, 01:07:59 pm »
Na ja, musst schon erzählen, was jetzt Sache ist.

Ist auf dem Fremdrouter eine statische Route für das B-Netz gesetzt?
Erlaubt er den Zugriff überhaupt?
Erreichst du von der pfSense A aus den Zielhost?

Das Ganze kann natürlich nur funktionieren, wenn Pakete von 10.4.x.x wieder zurück über den Fremdrouter geroutet werden. Das kann auch durch S-NAT auf diesem erreicht werden.

9
OpenVPN / Re: Force one virtual interface through OpenVPN
« on: February 22, 2018, 12:14:35 pm »
    To find out if the DNS is the problem, you can just start a ping on a DO_VPN device by using an IP, i.e. "ping 8.8.8.8".

  • The OPENVPN_interface is what I assigned in the Interfaces to network port ovpnc1, the other OpenVPN was created automatically when initializing OpenVPN service however there was no gateway created so that is why I bound the Network port ovpnc1 to a OpenVPN_interface. I assume this is the one I should be using?
That absolutely correct.

  • I have DHCP activated on DO_VPN interface (and subnet), however the OpenVPN_Interface has both ipv4 and ipv6 types set as None.
Since the ipv6 gateway is shown as pending, it seems you get no ipv6 address form the vpn server.
However, this doesn't influence the DHCP server on the DO_VPN interface.

  • I have specified explicitly the DNS servers for the DO_VPN DHCP_Server, please see attached screenshot. However, for LAN and OPT1 I haven't explicitly specified it and I assume they will be able to pull it automatically from my ISP through the WAN interface?
[/list]
If you have the DNS server in the DHCP settings are left blank and the DNS refolver or forwarder on, the DHCP pushes its own interface address to the clients. If the DNS services are both off, it pushes the DNS server to the clients which are set in the System > General settings.
If you have specified DNS server in the DHCP setting these are pushed to the clients.

Ensure that the DNS server are reachable over the vpn.

10
NAT / Re: NAT with unassigned destination IP
« on: February 22, 2018, 11:26:17 am »
Yeah, a simple drawing says more then 1000 words.  ;)

11
OpenVPN / Re: Force one virtual interface through OpenVPN
« on: February 22, 2018, 11:09:40 am »
The interface called "openVPN" is in fact an interface group. So you don't know which interface you really get.

Consider that that rule on the DO_VPN interface only permits traffic over vpn. If your hosts are configured to use DNS from pfSense they won't get access to it. So you should set them to use an external DNS.
If it is set by DHCP you may push external DNS servers by DHCP. DHCP access, if it is activated, is allowed by an invisible rule in newer versions.

12
NAT / Re: NAT with unassigned destination IP
« on: February 22, 2018, 10:43:35 am »
  • in the previous appliance (using iptables) we were doing it with a rule like: $IPTABLES -t nat -A PREROUTING  -s 192.168.70.0/24  -d 172.20.1.214  -j DNAT --to-destination 10.1.100.214
So you had 172.20.1.214 assigned as a virtual IP on the previous routers interface connected to 192.168.20.1/24 and simple forwarded it to 10.1.100.214.

To do that on pfSense, go to Firewall > Virtual IPs and assign 172.20.1.214 as "IP Alias" to the proper interface.

Then add a port forwarding rule in "Firewall > NAT". Again select the proper interface, the protocol you need, at source hit "display advanced", select Network and enter 192.168.70.0/24, at destination select the virtual IP you've added before and at "redirect target" enter 10.1.100.214, below you may set a description, save the rule.

Now it should behave the same way as with the previous router.

13
OpenVPN / Re: Force one virtual interface through OpenVPN
« on: February 22, 2018, 09:37:35 am »
The one weird thing is that when I go to gateways it says that my OPENVPN gateway is offline? But I can ping through the openVPN_interface (getting the correct VPN IP),
How have you figured that out, since you have no route to the vpn?

That the gateway is shown as offline means that dpinger does not get any response. The vpn can work anyway.

Two mistakes I've found in your setup:
You need an outbound NAT rule for the VPN connection. Don't know, what the rule on OpenVPN interface is for, but you need one for the "OpenVPN_interface" interface.

In the firewall rule for DO_VPN you have to change the gateway to that one of OpenVPN_interface.

14
Deutsch / Re: VPN SiteToSite OpenVPN virtuelle IP durch den Tunnel
« on: February 22, 2018, 08:53:49 am »
Hallo,

eine Skizze zu der Herausforderung hätte mir 3 mal lesen erspart.  ???

Leider kann ich den Tunnel nicht als Gateway angeben oder ??
Doch. Das machst du doch auch, um auf das Remote-Netz zuzugreifen, oder?
Doch passiert das Ganze innerhalb OpenVPN, indem du die entsprechenden Netze in die Felder "Remote Network/s" und "Local Network/s" in der Server- u. Client-Konfig. einträgst.
Hier musst du eben den zusätzlich zu erreichenden Host dazuschreiben (z.B. 10.7.6.5/32) in das richtige Feld.

Problem aber: Der Router, über den die Verbindung läuft, benötigt auch eine Route zum B-Netz die auf die pfSense in A zeigt. Eine eventulle Firewall auf dem Router müsste den Zugriff von B auch erlauben.
Sollte das nicht machbar sein, weil du auf diesen keinen Zugriff hast, kannst du als Workaround auf der A pfSense eine S-NAT Regel für diese Verbindung einrichten, die den Source-IPs auf die interne LAN IP der pfSense übersetzt.

Grüße

15
General Questions / Re: resolve internal web server
« on: February 21, 2018, 05:32:24 am »
What you want, can only be achieved with a proxy.

To make it less complicated, configure your web server to (also) listen to http://xyz.com.
Then set the host override with "xyz.com" in the Host box and only "192.168.100.76" in the IP Address field.

Pages: [1] 2 3 4 5 ... 180