Netgate SG-1000 microFirewall

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - johnpoz

Pages: 1 2 3 4 [5] 6 7 8 9 ... 1033
NAT / Re: [solved] Outbound NAT with WAN DHCP IP Address
« on: March 09, 2018, 10:04:07 am »
The ftp package is for clients behind pfsense to go to active ftp servers on the internet.. It doesn't work with active servers behind pfsense, especially ones that would have not way to get to the clients IP anyway since it has no gateway.

What that package does is look in the control channel and see the port the client is telling the server to connect to, and then forwarding that port to the client.

I personally would just put the rules directly on the interfaces in question.  This allows for differences, and easier to troubleshoot and understand the rules..

Do you really have 20+ vlans or where you just using that as an example how to do it on multiple vlans.

How many interfaces do you have these vlans spread across on pfsense.  Is there a lot of intervlan traffic - any vlan that talks to another vlan on the same physical interface is a hairpin, and your total amount of traffic possible between vlans would be limited by the total bandwidth available on physical interface.

This can become a real bottleneck when you have lots of clients in lots of vlans all sharing single physical interface..

You could setup rules in floating.. where you can pick the interfaces the rule would be applied on..  So sure you could pick your 20 vlans there And allow traffic to that dest vlan on the ports you want.  If you have multiple ports you put them in an alias.

don't do it on floating... policy routing should be done on the interface the traffic enters pfsense on..

Well one of the steps in the troubleshooting is to sniff to make sure the traffic your wanting to forward is actually getting to your wan to be forwarded.  If you see the traffic get there, then validate it is being sent out the lan side interface to your destination IP.. If so then pfsense is doing what you told it to do, if the client doesn't answer maybe there is a firewall on that host, maybe that host uses a different gateway then pfsense.

Quite often that traffic never even gets to pfsense for it to forward, or user puts in wrong dest IP, or maybe even that service is not even listening on that port your forwarding to, etc.

Troubleshooting a port forward really should take no more than a couple of minutes to validate traffic via a sniff.

Just allow the ports you want to allow, ie 443 to the specific server IP or whole subnet if you want.

Rules are evaluated top down, first rule to trigger wins, no other rules evaluated.

So if you want to allow to 443, put that rule above where you block access to that vlan/subnet/prefix

You could always route specific clients out a vpn on the client and let that go out wan2, then if hitting wan1 IP it would go down the vpn and come back in your isp1 to get to your wan1 IP.

How exactly did you try and make it work?  Policy routing might work, if you set specific clients on wan to to be forced out wan2?

Post up your rules on lan1 an lan2

I can try and simulate this with a vpn connection I sometimes policy route traffic through.

If you have the dest fqdn to use in an alias or the IP blocks that would be used... If you allow 80/443 then you would be able to go to anywhere on the internet..

You might be able to do something with the new openappid filtering in snort that pfsense recently rolled out.

DHCP and DNS / Re: Clearing DNS records created by DHCP
« on: March 09, 2018, 07:14:08 am »
well you would need to clear the cache on dns server, and or clients local copy which would time out after the ttl expired which most likely would of been at most 1 hour.

NAT / Re: Outbound NAT with WAN DHCP IP Address
« on: March 09, 2018, 07:12:25 am »
It works fine for web access and would also work fine for say ssh/sftp but with FTP how it uses control channel and data channel its going to be a problem with out client/server being able to handle the ability to talk off the local network or even in passive the server being able to give out the specific NAT IP and set ports it will use.

If your ftp server running on the device could do passive and hand out the 172. address and use specific ports like 5000-6000 for the passive range then you could get it to work fine.

DHCP and DNS / Re: Clearing DNS records created by DHCP
« on: March 09, 2018, 04:43:03 am »
well remove it from dhcpleases._entries.conf

You stated you had removed the old lease - if so it should of been removed from there when you did that.

Nat reflection is not a test of anything - its an abomination in its own right.  If you want to test your firewall rules from outside.. Then hit it from outside.. Use a vps on the internet... VPS on the internet can be had for $15 a YEAR... I have multiples of them all over the place for "testing"

Use a box connected to your mobile phone's data... Just disconnect the wan 2 from your pfsense and connect a machine to it.. 

What exactly are you wanting to test??  Performance - since you forward a port pfsense is done with its job.  It works - zero reason to test it.. If you need to validate the port is open then go to can you see a test if the port is open.

NAT / Re: Outbound NAT with WAN DHCP IP Address
« on: March 09, 2018, 04:13:00 am »
Connect a computer or few computers to this 10. network you have behind pfsense and let users access them.. Then from there they can ftp all they want since they would be on the 10 network and local to this iot device.

NAT / Re: Outbound NAT with WAN DHCP IP Address
« on: March 08, 2018, 02:56:44 pm »
Passive could maybe fix the problem depending on the ftp client..  With passive the ftp server tells the client in the control channel, hey come connect to me - if it says your out of luck!!  But some clients will say that doesn't work I connected to you on 172.16.x.x I will use that and the port you gave me in the passive command.

If this something your developing and designed to only work on same network... Why are you putting it behind a firewall to try and test it?

I would suggest you drop ftp completely and use sftp!!  FTP should of died of 10 years ago or longer - its CRAP!!! its not secure and as you can see a PITA across firewalls and nat..

I would also suggest your device have the ability to set a gateway so you can use it across segments.  If this designed for home use, more and more homes are segmenting their networks because they don't want untrusted iot devices on the same network as their trusted devices, etc.

NAT / Re: Outbound NAT with WAN DHCP IP Address
« on: March 08, 2018, 02:28:33 pm »
Where is FTP?  On your server(iot device) behind pfsense?  And your client is out on your wan?  And the server only does active?

Your going to have a problem with that for sure... Since the server has NO gateway, and the client would be telling the server come connect to me on IP address which is a problem...

Whatever this device is - to be honest I would get something else that supports a gateway!!!

Pages: 1 2 3 4 [5] 6 7 8 9 ... 1033