Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - umuzidan

Pages: [1]
1
Virtualization installations and techniques / Re: AWS ENA issues
« on: February 25, 2018, 03:58:33 am »
I was having the same issue. Here's what fixed it for me:
1. Disabling the dest/source checks from the Instances panel only disables the check for the primary network adapter
2. Go to Network & Security > Network Interfaces
3. Right-click on the LAN adapter (172.16.0.1/24) and choose Change Source/Dest. Check -> Disable

2
Use the ID of the inside pfSense interface.

BINGO! That was it. I had to manually copy the Network Interface ID for the LAN adapter on the pfsense instance and paste it into the target for my new default route for the private subnet (writing it out for others to easily follow what I needed to do to solve this).

Thanks!

3
The method by which I was attempting to configure this was to edit the Routing Table for the private subnet and trying to essentially enter destination=0.0.0.0/0 and target=192.168.1.5/24 (but instead of entering this, I was presented with the instance ID for the pfsense firewall, which I chose).

I was presented with the error "There are multiple interfaces attached to instance 'i-xxxxxx'. Please specify an interface ID for the operation instead. (Service: AmazonEC2; Status Code: 400; Error Code: InvalidInstanceID; Request ID: xxxxxxx)"

Any idea?

Essentially I'm trying to learn how to setup an isolated private network behind a pfsense EC2 instance. In a traditional network, your servers would be configured with pfSense as the default route, however in AWS, I can't figure out that part yet.

4
Ok here's the setup:
I have a pfsense EC2 instance running with two NICs, one on a public subnet, and one on a private subnet.
public subnet: public IP 1.2.3.4/ private IP 172.16.0.5/24
private subnet: private IP 192.168.1.5/24

I can access pfsense at https://1.2.3.4 and can see I have a LAN configured for 192.168.1.5.

I also have a server on the private LAN with IP 192.168.1.10.

Question: How can I configure the VPC so the server (.10) can have a default route 0.0.0.0/0 of 192.168.1.5?

Without understanding this, I can't tell how the server (.10) will be NAT'd behind pfsense (1.2.3.4)

Note: I tried to add a default route of 0.0.0.0/0 to the private subnet in AWS VPC equal to the network adapter of 192.168.1.5 but it wouldn't allow.

I figure there are users here that have an AWS pfSense instance running that have already solved this.

5
More information... it appears that I can successfully telnet to the VIP on port 26 from another LAN. When initiated on the same LAN/subnet as the VIP, the connection never responds. On this subnet there is only one firewall rule that allows all in/out on any protocol for IPv4+IPv6, so I there isn't any possible rule that could be blocking.

6
Real simply, I have two open relay internal email servers both listening on port 26. I can telnet to each individual server but not to the VIP. I created a VIP on the same subnet at the servers and use the VIP for LB both port 26 and HTTP. I setup the LB for an active/passive, where server 1 is the active and all traffic is directed there, and server 2 is the passive in case server 1 goes offline (according to the monitor).

It seems like no data will pass into the VIP:port and out to server 1:port, both on 26 or 80. I have a rule on that subnet to allow all traffic to pass in and out.

Is there something I'm missing?

Config:
pfSense 2.4.2-Release-p1

LAN: 172.20.30.1/24 (pfsense)
VIP: 172.20.30.192/24 (Type=IP Alias)
Pool1: Mode=LB, Server=172.20.30.138, Port=26, Monitor=TCP
Pool2: Mode=LB, Server=172.20.30.139, Port=26, Monitor=TCP
VirtualServer1: Protocol=tcp, IP Address=172.20.30.192, Pool=Pool1, Fallback Pool=Pool2

The status for both the pool and service is green / active.

And when it's all done, I can't telnet to the VIP (172.20.30.192) on port 26, but I can telnet to 172.20.30.138 and .139

7
This part doesn't make sense to me. I have a load balancer setup for HTTP and HTTPS traffic to LB across 3 web servers. Wondering what "DNS" means in the "Relay Protocol" field. Will it act as a DNS resolver change?

8
CARP/VIPs / CARP on WAN w/ 2 Static IPs... Need help
« on: December 31, 2017, 06:28:09 am »
I am given two static IPs by my ISP in my data center. Presently I have one pfsense fw setup using both. WanIP1 used for NAT outbound from LAN1 and WanIP2 used for NAT outbound from LAN2. I have configured WanIP1 to allow only OpenVPN inbound connections and WanIP2 for HTTP and HTTPS inbound to relayd running on pfsense.

Reading here: https://doc.pfsense.org/index.php/High_Availability.... I found this "Minimum of three IP addresses per subnet (one for primary, one for secondary, one or more for CARP VIPs) -- This can be avoided on pfSense 2.2, but is still recommended."

What I'm looking to understand is if it is possible to have another pfsense running in a hot standby mode whereas if pfsense1 crashed, pfsense2 could take over in some fashion.

Again, at first glance, I see my limitation as only having two static public IPs available, but am curious what the note means form the link above.

Also, if I had two static IPs available, would I direct web traffic to my new CARP WAN IP and change all my rules on pfsense to use this CARP IP as the destination IP for incoming traffic? Just looking to understand.

9
Hi All,

I've been experimenting with two WLAN adapters, both of which have undesirable results. I'm looking for recommendations for any USB WiFi Adapters that have removable antennas which work very well with pfSense / FreeBSD.

Thanks,

Dan

10
Version: 2.3.3-RELEASE-p1

Issue: I can't get the initial config working for a simply web server load balancer

I've tried creating a VIP and also not using a VIP and hitting the public IP directly, no luck.

WAN IP: 1.1.1.2/24 (Yes, i have a full /24 subnet of public IP's to choose from with my ISP in the data center)
LAN IP: 192.168.1.1/24
Web1: 192.168.1.2
Web2: 192.168.1.3
Web3: 192.168.1.4
VIP: 192.168.1.100
Public IP for Web Traffic: 1.1.1.3

1. Create LB Pool
-Insert the IPs for Web1, Web2, and Web3
2. Create the LB Virtual Server
-Insert an IP of 1.1.1.3 (and I've also tried the VIP 192.168.1.100)
3. Create a firewall rule
-Allow all traffic on port 80 FROM SOURCE (any) TO DESTINATION (1.1.1.3) - Didn't work
-Or, if using VIP, create NAT rule FROM SOURCE (any) TO DESTINATION (1.1.1.3) REDIRECT TO (192.168.1.100) all traffic on port 80 - Semi-worked: Found active states, but TCP connection closed immediately

I read a tutorial which said to create NAT rules for Web1, Web2, and Web3, however that defeats the purpose of a LB. If one goes down, or if I disable the monitor protocol on that server so the LB removes it from the pool, I believe that the NAT rule will still pass traffic to it.

Any help please?

ANSWER: I needed to add a catch all firewall rule on WAN for all port 80 traffic. Didn't need the VIP

11
Routing and Multi WAN / Re: IPsec routing with Virtual IP - Need help
« on: December 30, 2014, 04:32:59 am »
Can anyone please help?

12
Routing and Multi WAN / IPsec routing with Virtual IP - Need help
« on: December 09, 2014, 04:04:47 pm »
Ok I'll give you the low down here and need some assistance on how to configure pfSense correctly. At this moment, I have some items configured but can't seem to get through with traceroute.

Real LAN: 172.30.0.0/20
Virtual IP: 211.94.93.165/32
My Public IP for IP sec tunnel: 1.1.1.1
Customer's Public IP for IPsec tunnel: 2.2.2.2
Customer's Internal IP which I need to access: 10.120.116.244

All data from the 172.30.0.0/20 subnet which is destined for 10.120.116.244/32 should be routed to the Virtual IP of 211.94.93.165. The Virtual IP should NAT all data outbound to the IPsec tunnel so the customer only see's data coming from 211.94.93.165.

At the current moment, the IPsec tunnel is up and connected. What isn't working, for starters, is a traceroute from a computer on the Real LAN. If I run tracert 10.120.116.244, the first hop is still 172.30.0.1 (router). I even created a route add for the PC to make 211.94.93.165 the gateway for all data destined for 10.120.116.244/32

Can anyone please help?

Pages: [1]