Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - johnpoz

Pages: [1] 2 3 4 5 ... 1069
1
Firewalling / Re: Remove "Logging Noise" on Wan port
« on: Today at 10:10:36 am »
Turn off bogon logging get rid of those.

You could also turn off logging of rfc1918 and default if you wanted, and just create a block rule at bottom of wan interface rules to log what you want.  I do this since all I want to see is SYN blocks, I don't care to see all the other noise like UDP and Out of state packets that are dropped by the default deny.

2
A wan is going to be any interface that can be used to get to other networks.  You can nat or not nat to this wan connection.  As mentioned already you have an asymmetrical problem putting this "wan" network of pfsense where there are devices..

If you want networks behind pfsense, and you want a "wan" network that will be used to get to networks not behind and directly attached to pfsense then this network should be a transit network..

Thats fine if all of these networks all connected physically on the same switch, you just need to make sure you break that switch up correctly at layer 2 to provide isolation.

Your going to run into asymmetrical problems as well if you just put all your networks behind pfsense on "lan" networks directly attached that use different gateway to get off their network other than pfsense.  You would have to do host routing on every single host, etc.

Connect this pfsense to either your layer 3 or your edge with a transit network and correctly route..  Any network your going to put behind pfsense like this 192.168.100 should be isolated on their own layer 2 and use pfsense 192.168.100.x as their default gateway.

3
And what specific ISO do you refer too?

There are many ISO standards related to IT security... These are normally based up policy and or specifics - but "licensed" would not be something that even makes any sense in relation to a policy or standard.

https://doc.pfsense.org/index.php/Can_pfSense_meet_regulatory_requirements

4
So only thing on this esxi host tis your 192.168.100 network on its own switching environment?  Ie different physical switches than your L3 switch?

"PFSense server rules
ipv4 tcp      192.168.50.151   *         192.168.100.20   3389   *               Allow - Easy rule passed from firewall log view (still fails)"

In what scenario would you every see on the lan side (pfsense server) traffic from 192.168.50??  And you created that from an easy rule?  So something was blocked?  Yeah you have a problem at layer 2 if you would ever see traffic from that network on the lan side.

Draw up your physical connections..  From your statement that your lan side is on its own switches, it would seem impossible to have traffic on lan from wan network..


5
General Questions / Re: multiple vlan
« on: Today at 07:17:20 am »
yeah sure no problem.. Do you have switch(es) that support vlans?

6
General Questions / Re: ESXI and VLAN
« on: Today at 04:47:15 am »
Saying you followed guide X doesn't mean you actually followed it correctly, etc..

Your going to have to show us your network in esxi..

So you created a vswitch, connected to physical interface.  If you want the wan vnic of pfsense that is connected to that you either set your vlan ID on the vswitch port group, or you set 4095 on it to not strip tags and then setup your vnic in pfsense to understand the tag you want it to use.

7
Unless you disable all auto added ACLs, only internal interface networks are added.  So yeah on a wan interface you would need to add the acl to allow query.

By default, IPv4 and IPv6 networks residing on internal interfaces of this system are permitted. Allowed networks must be manually configured on the Access Lists tab if the auto-added entries are disabled."

8
And your ACL settings in unbound are what exactly?  See the ACL tab..

9
Also I take it your switch is layer 3? And routing?

Or do you have these 192.168.20 and .50 networks on your juniper as layer 2 vlans?  And that link from your switch to juniper is trunk?

Are you servers on 192.168.100 behind pfsense on a different switch or are you just vlan same physical switch your other devices are connected too.  Maybe you just have your layer 2 messed up?

10
Yeah just fire up another instance.. I run both tcp 443 and udp 1194 on mine.

11
I would return that switch if v2, they have firmware for v3 that is supposed to fix the vlan.  But v2 model you can not remove vlan1 from every port so its no better than a dumb switch.

That is not a layer 3 switch, so you would do 2 vlans and pfsense would route between them.

your vlans are tagged on the port connected to pfsense, and untagged to your PCs.

12
General Questions / Re: pfSense as NTP server
« on: May 19, 2018, 07:29:25 am »
Well for one you limit the amount of traffic outbound to ntp since only pfsense and or other local ntp would be going outbound.  This makes more sense when you have large number of internal devices.

It is well established practice to run an internal ntp that provides good time for all your internal devices.. Pointing all your devices outbound for ntp can create unwanted traffic.. While ntp traffic is not a significant amount of traffic.. Having say 100 or 1000 devices all talking abound for ntp is way more external traffic than say having pfsense sync its time and then your local devices syncing to it.

This also should remove delay and jitter between the time server and the time client to allow for more consistent time across your environment..  Vs having multiple devices all talking across the public network even to the same source will for sure see different delay and jitter across time.  While local lan traffic this delay and jitter should be very constant.

13
Wireless / Re: are Virtual wireless networks possible?
« on: May 19, 2018, 04:37:18 am »
Good luck




 - I would suggest you read up on how wifi actually works as well..

" 2 wireless interfaces/radios (over 3 antennas). I'm not sure how they do that"


14
Firewalling / Re: port forward plex
« on: May 19, 2018, 04:32:52 am »
And don't forget you removed the any any rule that basically opened up your web gui to the world - so anyone on the planet might of guessed your pfsense username and password or sshed to it, etc. etc..

Why did you create the any any rule on your wan?

15
Routing and Multi WAN / Re: Routing a /26 to Multiple /32
« on: May 18, 2018, 02:03:51 pm »
As Derelict says pfsense has really nothing to do with this - it would all be at your switch setup.  Layer 3 switch with /30 would be way to go - but your /26 is not going to allow for that.

Why would your users be setting static IPs on their routers that could conflict when your just going to hand them their IP via dhcp..

If you do not have a single switch that can handle all the ports, prob want to break your /26 into say 2 /27 and use 2 48 port switches for each half, etc.  or a 48 and 24...

There are much better switches than the unifi ones with much better feature sets at same sort of price point.. But if your worried about isolation of the customers you would have to check to see if it does private vlans, etc.

Pages: [1] 2 3 4 5 ... 1069