Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - johnpoz

Pages: [1] 2 3 4 5 ... 953
1
IPv6 / Re: Changing from /64 to /48
« on: Today at 05:04:27 am »
"Presumably, i need to set up routing on each interface to the gateway for the tunnel?"

No.. Why would you think that?  Your just attaching a network to pfsense, just like a ipv4 network..  Pfsense will be the gateway to the clients on that network. 

Pfsense knows what its default gateway is for wan, and it knows what it is for ipv6 via your tunnel you setup - you would not setup a gateway on an interface unless it was a wan connection.

2
DHCP and DNS / Re: Reaching webserver in DMZ on domain name
« on: Yesterday at 05:18:31 pm »
setup host override to  point www.webserver.com to your rfc1918 address of your webserver in the dmz.. Done.

3
NAT / Re: Portforwarding FIN_WAIT_2:FIN_WAIT_2
« on: Yesterday at 05:14:53 pm »
You do undestand fin_wait 2 is normal after fin.. Normally this is a faulty application.. And you sure your not looking at old states..

Why exactly do you even need nat reflection - just access the http directly.. Does your port forward work from outside... Then your down.. There is zero reason for nat reflection.. just use a host override to access the local IP be whatever name is you want that you use on the outside.

4
NAT / Re: Portforwarding FIN_WAIT_2:FIN_WAIT_2
« on: Yesterday at 03:12:49 pm »
So your trying to do nat reflection - did you enable that?  test your access from the actual outside.. Not a nat reflection.

5
"Is rules in firewall enough or I need to create gateway or static route under routing."

If the networks are attached directly to pfsense then it already knows about the routing.. All have to do is allow the rules you want to allow for inter vlan traffic.

6
Firewalling / Re: Curious Floating Rules Behavior
« on: Yesterday at 01:43:57 pm »
"Traffic/connections on a NIC is either received (inbound) or transmitted (outbound)."

Well stated... But the wire that plugs into the nic is always 'outside" the device... Traffic is either put on the wire from the device, egress.. Or in to the device from the wired - ingress..

Agree you have to be clear on what context your talking with a firewall when you say outside inside.. But thought the question was in/out of an interface.. ingress, egress.. Where the rules apply - so the context seems to be clear..

7
" each their own subnet / switches and firewall's / own dhcp /dns"

If these switches are separate connect them... So once a client connects to the specific ssid/vlan they can get to either side.. forget about the routing between these networks - you do not need to do that until the networks join into 1.

But really easy leverage all the AP for both networks - where clients can be put on any network you want via the vlan and that ssid, or the dynamic vlan.. As long as the switches the AP connect to are managed this is simple setup.

Does this drawing help.

Does not matter what brand firewall is on the side - your just doing doing everything at layer 2 with vlan IDs.. As long as the switches share the same vlan IDs for the different networks you can let traffic flow wherever you want be it to pfsense or the other firewall, etc.  Clients will be on the vlan they join via ssid, etc.

8
Firewalling / Re: HTTP filtering based on user agent
« on: Yesterday at 09:25:44 am »
So your customer is not doing anything on https?  They do not listen on it or serve up these pages via https?  Since for you to block it via the proxy your going to break end to end encryption and would be doing mitm.. Which would in theory give you access to all https traffic..

They are ok with this?

9
Could you please draw this.. So you have 2 pfsense with their own internet connections and then a managed switch with vlans on it..

This switch is only doing layer 2, its not routing right?

Something like this..  If so you could put your wifi clients on any AP on any vlan you want be based on SSID or dynamic vlans based upon radius auth, etc.

10
Firewalling / Re: Curious Floating Rules Behavior
« on: Yesterday at 08:51:51 am »
Outside is always the wire..  Connected to the nic/port..  When your talking ingress/egress to a port/nic

11
Firewalling / Re: Curious Floating Rules Behavior
« on: Yesterday at 07:59:48 am »
Here maybe this video will help ;)

https://youtu.be/u-rkp7iuJ_w


12
Firewalling / Re: Curious Floating Rules Behavior
« on: Yesterday at 07:36:52 am »
"Specifically, citing "green  is outbound (egress).." is a total contradiction to the drawing you posted. That green arrow is not "OUTbound", it is OUTside relative the the LAN. "

I suggest you research ingress and egress.  These are standard networking 101 terms that if you do not grasp your going to have a hard time of it. 


edit:  Lets try it another way.  A nic or even a port on a switch is like putting a door on a house..  With pfsense or the switch being the house.  If the traffic is going into the interface from the network it is ingress - your going into the house..  if the traffic exiting the nic towards the network then its egress (leaving the house)..

13
Firewalling / Re: HTTP filtering based on user agent
« on: Yesterday at 05:19:14 am »
Good luck filtering stopping said user agents that are via https this way..

If your customer is too stupid to do this on their own server, then show him how to do it - this sort of block makes zero sense to do at the firewall.. Now if you were running a load balancer (reverse proxy) and you had say multiple servers behind it serving up content then ok might make sense to filter it at the single point vs having to configure all the different servers, etc.  And if you were offloading the https to the load balancer as well so that it could see the user agents in the https..

All of the major httpd support this even IIS can do it ;) Doing this at your firewall is the wrong way to go about this..

14
Firewalling / Re: Curious Floating Rules Behavior
« on: Yesterday at 04:51:14 am »
"Remember, the floating rule didn't even specify the OPT at all - thus "OUT[bound]" couldn't possibly be "OUT[bound]"."

Its not outbound of the opt interface its OUTBOUND of the LAN interface...  Why does this concept cause people so much pain??

Pfsense has interface - lan.. If the traffic is from the lan toward pfsense then its INBOUND or ingress to that interface... If its into the LAN from direction of pfsense then its outbound from the interface, or egress..  This is how every single interface works on any device be it router or switch..  Please look up ingress and egress in networking terms..

Attached is simple drawing...

The red arrows are inbound traffic to the specific interface (ingress), green  is outbound (egress)..

So if you have PC on lan that sends SYN to IP on OPT..  That syn would be in to the lan nic..  And out of the opt nic.. These are the 2 places where you could put rules..  To do the inbound rule just place the traffic on the lan interface.  If you want to stop traffic from going out the opt, then you would need to put that on floating tab picking out of the opt interface..

Its always best to block the traffic before it actually enters the firewall.. Why process the packet all the way through pfsense just to stop it from leaving the opt interface.. Just drop it as it tries to enter at the lan..

if you wanted to save yourself time in creating rules.. And you knew say that you didn't want lan, opt, optX, optY etc.. going out to internet on 53... Then you could put a floating rule on wan interface outbound direction blocking 53.. Now if lan or lop sent traffic it be dropped on the oubound direction of the wan interface.

15
Hardware / Re: USB NIC or managed switch?
« on: Yesterday at 04:45:39 am »
"My internet speed is 100Mbps and I don't see myself upgrading to 1Gbps anytime soon. "

And what about local side vlans, or you just going to have 1 lan?  If your going to do vlans on your network then you will be hairpin for any intervlan traffic.  So its not only your internet speed you have to worry about unless your just going to be on 1 lan..

Pages: [1] 2 3 4 5 ... 953