Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - umuzidan

Pages: [1]
1
Ok here's the setup:
I have a pfsense EC2 instance running with two NICs, one on a public subnet, and one on a private subnet.
public subnet: public IP 1.2.3.4/ private IP 172.16.0.5/24
private subnet: private IP 192.168.1.5/24

I can access pfsense at https://1.2.3.4 and can see I have a LAN configured for 192.168.1.5.

I also have a server on the private LAN with IP 192.168.1.10.

Question: How can I configure the VPC so the server (.10) can have a default route 0.0.0.0/0 of 192.168.1.5?

Without understanding this, I can't tell how the server (.10) will be NAT'd behind pfsense (1.2.3.4)

Note: I tried to add a default route of 0.0.0.0/0 to the private subnet in AWS VPC equal to the network adapter of 192.168.1.5 but it wouldn't allow.

I figure there are users here that have an AWS pfSense instance running that have already solved this.

2
Real simply, I have two open relay internal email servers both listening on port 26. I can telnet to each individual server but not to the VIP. I created a VIP on the same subnet at the servers and use the VIP for LB both port 26 and HTTP. I setup the LB for an active/passive, where server 1 is the active and all traffic is directed there, and server 2 is the passive in case server 1 goes offline (according to the monitor).

It seems like no data will pass into the VIP:port and out to server 1:port, both on 26 or 80. I have a rule on that subnet to allow all traffic to pass in and out.

Is there something I'm missing?

Config:
pfSense 2.4.2-Release-p1

LAN: 172.20.30.1/24 (pfsense)
VIP: 172.20.30.192/24 (Type=IP Alias)
Pool1: Mode=LB, Server=172.20.30.138, Port=26, Monitor=TCP
Pool2: Mode=LB, Server=172.20.30.139, Port=26, Monitor=TCP
VirtualServer1: Protocol=tcp, IP Address=172.20.30.192, Pool=Pool1, Fallback Pool=Pool2

The status for both the pool and service is green / active.

And when it's all done, I can't telnet to the VIP (172.20.30.192) on port 26, but I can telnet to 172.20.30.138 and .139

3
This part doesn't make sense to me. I have a load balancer setup for HTTP and HTTPS traffic to LB across 3 web servers. Wondering what "DNS" means in the "Relay Protocol" field. Will it act as a DNS resolver change?

4
CARP/VIPs / CARP on WAN w/ 2 Static IPs... Need help
« on: December 31, 2017, 06:28:09 am »
I am given two static IPs by my ISP in my data center. Presently I have one pfsense fw setup using both. WanIP1 used for NAT outbound from LAN1 and WanIP2 used for NAT outbound from LAN2. I have configured WanIP1 to allow only OpenVPN inbound connections and WanIP2 for HTTP and HTTPS inbound to relayd running on pfsense.

Reading here: https://doc.pfsense.org/index.php/High_Availability.... I found this "Minimum of three IP addresses per subnet (one for primary, one for secondary, one or more for CARP VIPs) -- This can be avoided on pfSense 2.2, but is still recommended."

What I'm looking to understand is if it is possible to have another pfsense running in a hot standby mode whereas if pfsense1 crashed, pfsense2 could take over in some fashion.

Again, at first glance, I see my limitation as only having two static public IPs available, but am curious what the note means form the link above.

Also, if I had two static IPs available, would I direct web traffic to my new CARP WAN IP and change all my rules on pfsense to use this CARP IP as the destination IP for incoming traffic? Just looking to understand.

5
Hi All,

I've been experimenting with two WLAN adapters, both of which have undesirable results. I'm looking for recommendations for any USB WiFi Adapters that have removable antennas which work very well with pfSense / FreeBSD.

Thanks,

Dan

6
Version: 2.3.3-RELEASE-p1

Issue: I can't get the initial config working for a simply web server load balancer

I've tried creating a VIP and also not using a VIP and hitting the public IP directly, no luck.

WAN IP: 1.1.1.2/24 (Yes, i have a full /24 subnet of public IP's to choose from with my ISP in the data center)
LAN IP: 192.168.1.1/24
Web1: 192.168.1.2
Web2: 192.168.1.3
Web3: 192.168.1.4
VIP: 192.168.1.100
Public IP for Web Traffic: 1.1.1.3

1. Create LB Pool
-Insert the IPs for Web1, Web2, and Web3
2. Create the LB Virtual Server
-Insert an IP of 1.1.1.3 (and I've also tried the VIP 192.168.1.100)
3. Create a firewall rule
-Allow all traffic on port 80 FROM SOURCE (any) TO DESTINATION (1.1.1.3) - Didn't work
-Or, if using VIP, create NAT rule FROM SOURCE (any) TO DESTINATION (1.1.1.3) REDIRECT TO (192.168.1.100) all traffic on port 80 - Semi-worked: Found active states, but TCP connection closed immediately

I read a tutorial which said to create NAT rules for Web1, Web2, and Web3, however that defeats the purpose of a LB. If one goes down, or if I disable the monitor protocol on that server so the LB removes it from the pool, I believe that the NAT rule will still pass traffic to it.

Any help please?

ANSWER: I needed to add a catch all firewall rule on WAN for all port 80 traffic. Didn't need the VIP

7
Routing and Multi WAN / IPsec routing with Virtual IP - Need help
« on: December 09, 2014, 04:04:47 pm »
Ok I'll give you the low down here and need some assistance on how to configure pfSense correctly. At this moment, I have some items configured but can't seem to get through with traceroute.

Real LAN: 172.30.0.0/20
Virtual IP: 211.94.93.165/32
My Public IP for IP sec tunnel: 1.1.1.1
Customer's Public IP for IPsec tunnel: 2.2.2.2
Customer's Internal IP which I need to access: 10.120.116.244

All data from the 172.30.0.0/20 subnet which is destined for 10.120.116.244/32 should be routed to the Virtual IP of 211.94.93.165. The Virtual IP should NAT all data outbound to the IPsec tunnel so the customer only see's data coming from 211.94.93.165.

At the current moment, the IPsec tunnel is up and connected. What isn't working, for starters, is a traceroute from a computer on the Real LAN. If I run tracert 10.120.116.244, the first hop is still 172.30.0.1 (router). I even created a route add for the PC to make 211.94.93.165 the gateway for all data destined for 10.120.116.244/32

Can anyone please help?

Pages: [1]