Setup a PfSense 2 - Forward
-
Upload
silvio-cunha -
Category
Documents
-
view
235 -
download
0
Transcript of Setup a PfSense 2 - Forward
-
8/10/2019 Setup a PfSense 2 - Forward
1/11
29/10/13 Setup a pfSense 2.0 firewall when defaul t gateway is on a different subnet | Alain Spineux
blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet 1/11
Home
Alain SpineuxMay the sou rce s be wit h yo u
Setup a pfSense 2.0 firewall when default gateway is on a different subnetSubmitted by aspineux on Fri, 08/26/2011 - 06:09
I have written a better article, using the firewall in transparent mode here .
This article has been updated for pfSense2.0. The original article about pfSense 1.2.X has moved here.
News: I t looks like the OVH gateway works like an universal ARP proxy or Captive portal. I means my OVH gateway replies to any ARP
request. This means that for any given a.b.c.d/32 failover IP, I can setup a host or virtual host using a mask /24 (instead of /32) and my
gateway a.b.c.X where X can be anything not in ( 0, 255 or d ) and it will works. And It works, at least on the Kimsufi I have tested it. And
it works even for IPs in a.b.c.0/24. I think this is how OVH setup some (maybe all) of their routers to be able to support migration of
failover IP or block without too much headache. What is fun is to traceroutesome IPs in a.b.c.* and see how they are not directly attached
to the WAN but are behind some routers.
OVH don't say anything about this setup and then thisfeatureis funny but cannot be used on a production server.Be careful if you use a wrong setupand generate a lot of unexpected ARP requests, OVH can w arn you to quickly fix the problem or even
disable your network link.
If you buy a VMware server and an IP block from OVHyou will be surprised because the default gateway don't match the I P block. Even if
this setup is unusual, it is valid and give full satisfaction if you know how to configure your firewall and hosts.
There are some advantages to use this technique for the provider/WEB hoster: this make the router configuration a lot simpler (no need to
setup an IP address for each underlying I P block, they can merge routes for adjacent IP blocks together) and the most important, this save
one IP address in the block.
Windowshost accepts this unusual configuration and just work, thanks Bill for this great job .
Linuxhost requires a little trick.
[root@fc6-pmx ~]# route add default gw 192.168.23.254
SIOCADDRT: Network is unreachable
Linux refuses to add the route because it don't know how to reach the gateway itself. Add the appropriate route for the gateway, before the
default route, solves the problem.
http://www.ovh.fr/http://www.ovh.fr/http://blog.magiksys.net/pfsense-firewall-1.2-default-gateway-different-subnethttp://www.pfsense.org/http://magiksys.blogspot.be/2012/12/pfsense-bridge-gateway-vmware-ovh-ip.htmlhttp://blog.magiksys.net/http://blog.magiksys.net/http://blog.magiksys.net/ -
8/10/2019 Setup a PfSense 2 - Forward
2/11
29/10/13 Setup a pfSense 2.0 firewall when defaul t gateway is on a different subnet | Alain Spineux
blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet 2/11
[root@fc6-pmx ~]# route add -host 192.168.23.254 dev eth0
[root@fc6-pmx ~]# route add default gw 192.168.23.254
This works !
[root@fc6-pmx ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.23.254 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth00.0.0.0 192.168.23.254 0.0.0.0 UG 0 0 0 eth0
To configure a firewall, depending of the firewall, you will have to be imaginative !
Differences with the 1.2.X config
The main ideas are the same as in the previous article, but the trick used to connect the gateway is different and finally a lot simpler. I
recommend this setup !
Schema
Here is the schema I used to test this configuration.
All IPs are from theAddress Allocation for Private Internetsbut it is for testing ! Use the addresses you get from your provider or WEB
hoster. For real, only the 172.22.22.1 and 19.168.1.0/24can be in a private network.
192.168.23.254is the default gatewaygiven by my provider.
10.0.0.0/24is the IP block givenby my provider. I assign it to my DMZ.192.168.1.0/24is a for avirtual LAN, to put machines that help to configure and manage the FW and servers in the DMZ.
The gateway trick
Instead of creating anARPentry using a command line at startup, Iforcea route to the gateway by using the routecommand twice. The
trick is the identical to the one used for the Linux in the previous article. It is not possible to create such routesusing the Web interface then
once more the shellcmdmodule come to rescue to setup the route at startup.
To create a route up to 192.168.23.254, on an interface having no IP in this range, I use the commands:
route add -net 192.168.23.254/32 -iface em0
route add default 192.168.23.254
The first line tell the firewall that IP address 192.168.23.254is on the side of the em0 interface (em0 is my WANinterface), the second one
use this address as the default gateway.
This time, their is no need to found the MAC address of the gateway like in the first article. But some operations like: disable the em0
http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnethttp://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnethttp://www.faqs.org/rfcs/rfc1918.htmlhttp://blog.magiksys.net/pfsense-firewall-1.2-default-gateway-different-subnet -
8/10/2019 Setup a PfSense 2 - Forward
3/11
29/10/13 Setup a pfSense 2.0 firewall when defaul t gateway is on a different subnet | Alain Spineux
blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet 3/11
interface or setup a defaultgateway; can break the trick and would require to reload the route manually or reboot the firewall.
To removethe route you can use:
route del default 192.168.23.254
route del -net 192.168.23.254/32 -iface em0
You can create the default route as soon has you have access to the firewall, using ssh, the console or by using the Command promptin the
Diagnosticsmenu of the Web interface. To be sure the routes are there, click the Routesoption in theDiagnosticmenu. An look for the two
routes.
Be carefulY ou have to remove any defaultroute before to run these two commands !
This will not give you access to the Internet forthwith, you need some more settings.
The WAN interface
I don't want to waste an IP address, I choose a completely unrelated address 172.22.22.1 , and don't setup any gateway because the job is
already done by the 2 commands above.
The DMZ interface (OPT1)
This is where the servers having a public address live. I give the 10.0.0.1 address to the firewall, this will be the default gateway for servers in
the DMZ but also the public IP of the firewall on the WAN side.
-
8/10/2019 Setup a PfSense 2 - Forward
4/11
29/10/13 Setup a pfSense 2.0 firewall when defaul t gateway is on a different subnet | Alain Spineux
blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet 4/11
The LAN interface
The LAN can be used if you need additional hosts that don't need to be reachable from the Internet but are required to manage the DMZ or
for any other purpose. These hosts can access the DMZ (and vice versa when required). This is where I put a virtual machine to configure
this firewall. Machines in this zone can be accessed from the Internet too, see later.
I keep the default settings of the firewall for this interface.
Setup the Proxy ARP
The 10.0.0.0/24subnet is on the DMZ side. To allow the firewall to reply to ARP requests for these addresses on the WAN interfaces, wehave to add aproxy ARPentry.
-
8/10/2019 Setup a PfSense 2 - Forward
5/11
29/10/13 Setup a pfSense 2.0 firewall when defaul t gateway is on a different subnet | Alain Spineux
blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet 5/11
I do it for the full subnet at once, in previous articleI did it address by address. This is faster but also bypass a bugor afeaturein 2.0 that
forbid the use of an address already used by an interface. I'm thinking here about DMZ address 10.0.0.1. It is possible to go around this bycreating theProxy ARPbefore to assign the address to the DMZ interface. But using a subnet here bypass the problem !
Masquerade the source address
For now, packets leaving the firewall have address 172.22.22.1 , replies will never come back ! We need to rewrite the source address for
packet leaving the firewall. I use hide NATto give them the 10.0.0.1 address. I assign this address for packet coming from the firewall, but
also to masqueradethe LAN zone.
Here are the detail for the LAN, the config for the firewall is similar.
Now any packets from the firewall or hosts from the LAN will leave the firewall with address 10.0.0.1
Double check the rules for the LAN, and be sure the "Default allow LAN to any rule"permit outgoing connections :
http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet -
8/10/2019 Setup a PfSense 2 - Forward
6/11
29/10/13 Setup a pfSense 2.0 firewall when defaul t gateway is on a different subnet | Alain Spineux
blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet 6/11
Don't hesitate to be more strict, for example my second rule block port 25 to the Internet, but not to the DMZ. Here I allow all protocolsexcept some, but the good way when configuring a firewall is to block all traffic by default and permit only some protocols.
The gateway: trick part 2
Now the firewall and the LAN have Internet access, at least after you have setup your DNS. You can now hardcode the gateway trick. You
need to install the shellcmdpackage. The version 0.5 is for pfSense 1.0 but works well with 2.0 too. Install it from the package manager in
theSystemmenu!
And in theServicemenu, select theShellcmdoption and setup the two commands :
The DMZ zone (OPT1)
To use your DMZ you have to add filter rules to allow packets to leave the DMZ to the WAN side. Here for outgoingpackets...
Here I block packets to the LAN, because the DMZ is no more than a part of the Internet itself, any access to the LAN from the DMZor the Internet must be carefully thought through.
.. and here incomingpackets to my public WEB server 10.0.0.2(the first rule)!
Create other rules for your other servers and services inside your DMZ !
Because we are using routingwe don't need any NAT rules between WAN and DMZ !
LAN has already a full access to the DMZ because of the rule "Default allow LAN to any rule"seen previously. !
-
8/10/2019 Setup a PfSense 2 - Forward
7/11
29/10/13 Setup a pfSense 2.0 firewall when defaul t gateway is on a different subnet | Alain Spineux
blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet 7/11
it network firewall pfs ens e ovh vmware
The LAN zone
If you need to access some resources inside your LAN from Internet, you can NAT some ports from address 10.0.0.1. Here I forward RDP to
my 192.168.1.100Windows host :
Double check, pfSense has created the appropriate filter rules.
That'it !
The final touch
Their is lot of other thing to say and to do, but this is not a tutorial about firewall. Anyway I was very impatient to try the newFloatingtab
in theRulesscreen ! I have added a rule to let DMZ hosts reply to ping request. Here it is:
Before theFloatingtab, you add to duplicate some rules in each interfacetab. This was making pfSense 1.2.X a bit unsuitable for
configuration with lot of interfaces and rules !
Add IP fail-over
If you need to manage IP fail-overinside this configuration, take a look at this post
Advantages of this configuration
The biggest advantage of this configuration is the use of routinginstead of NATto forward packets. The other are:
this config provide a zone for your hosts in your DMZ and your LAN w ith usual network settings (a gateway in the same LAN
subnet).
this config is based on routing instead of NAT, this avoid problems with NAT sensibleprotocol like: ftp, pptp, ...
NAT drops connection if no packets are going through for too long. Routing don't and don't require any keep aliveplaster!
the hosts in your DMZ use the public IP addresses, this make things simple and avoid confusion.
LAN access your DMZ using public IP addresses.
no need to define NAT rules, only the filter rules are required.
reduce the MEMORY and CPU usage of the firewall.
Hope this help !
Tags:
Corrine Dipas (not verified)
Fri, 08/26/2011 - 19:19permal ink Greate article
Thanks a lot for this great artic le
Corrine Dipas
reply
http://blog.magiksys.net/comment/reply/38/301mailto:[email protected]://blog.magiksys.net/comment/301#comment-301http://blog.magiksys.net/comment/301#comment-301http://princess-dipas.blogspot.com/http://blog.magiksys.net/adding-ovh-ip-fail-over-to-pfsense-configurationhttp://blog.magiksys.net/taxonomy/term/5http://blog.magiksys.net/taxonomy/term/4http://blog.magiksys.net/taxonomy/term/1http://blog.magiksys.net/taxonomy/term/2http://blog.magiksys.net/taxonomy/term/3http://blog.magiksys.net/taxonomy/term/7 -
8/10/2019 Setup a PfSense 2 - Forward
8/11
29/10/13 Setup a pfSense 2.0 firewall when defaul t gateway is on a different subnet | Alain Spineux
blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet 8/11
Craig Duff (not verified)Wed, 11/09/2011 - 16:11
permal ink
aspineuxThu, 11/10/2011 -
23:33
permal ink
Craig Duff (not verified)Fri, 11/11/2011 - 16:58
permal ink
aspineuxSun, 11/13/2011 -
04:17
permal ink
I dont understand this document
Sorry the do cument is good and it makes sense in some areas, however i dont o wn an IP block instead i have a
Kimsufi server and only allowed t o hav e 4 Public IPS. One is for the ESXI bo x. I would want to do it, is have 3
WANS with the MACS assigne d to me and a LA N for the servers to get out on. Y our me tho d for 1. 2.3 abo ut
doing an arp- s for the real gateway of the server wo rked, but now in this version it doesnt seem to wor k. Can
you help me out? Not sure what i am do ing wr ong .
reply
Using "failover IPs" instead of one IP block
The purpose of this article is to make the network setup of the V M hosts in the DMZ easy, with a gateway o n the same
network like usual. This is at the co st of a ve ry difficult setup of the firewall.
Y ou a re spea king ab out 4 p ublic I Ps for y our OVH Kims ufi. The se are p robab ly failo ve r IPs , and these have a
different purpo se !IP b loc kallows to have multiple host on the same sub-network. failo ve r IPs allows to assign one
IP to one of y our ex isting host and later to assign it to another (for ex ample if the first become unav ailable). These
IPs are not in any subnet and then, not on the samesubnet, then you cannot put these in the same DMZ. You even
don't have suc h DMZ !
Any way I under stand y our ur ge to assign the se I Ps to y our V M.
What y ou c ould tr y :
- follows this article, but
- yo u don't have any subnet then don't create a DMZ and don't setup y our OPT1 interface.
- inSetup th e Pro xy A RPuse 10.0.0.1 /32 instead (my 1 0.0.0.1 is one of your public IP)
- put all your VMs in your LAN and assign them addresses in 192.168.1.0/24
- use article aboutfail-o ve r IPs (link at the end of the article) to map y our other pub lic IPs to VMs in yo ur LAN (use
1on1).
I have not tested this setup ...
If it works, please report to help others.
reply
This document
Thank yo u for yo ur reply. Howev er i dont think this method is right. Correc t me if im wrong, but i
be liev e th e ip a ddresses they assign are pe r se rv er , y ou ca n only hav e a max ium o f 4 and the y are all
authenicate on the OVH network if the syste m sees the cor rect MAC address coming from the v irtual
NIC of the VM ie pfsense WAN interface. Yo ur menthod last time arp - s 17 2.22.22.2 54 00 :00:00 (real
MAC of the phsical gateway) worked really well with version pfsense 1.2.3 no w it doesnt seem to work
at all with 2.0. A nd if i wanted multi WANs or IPs to work, i had to create ano ther Opt1 network called
"wan2" and give it the MA C OVH give me to do the same me thod, and then use a NAT functionality to
port forward traffic from different IPs. Any further advice ? Sorry to be a pain, just i feel at a stopping
point, cant quite work this one out.
reply
OVH setup can change
OVH prov ides new services and new features all the time. I have written an article that matched my needs to
use OVH features and the lack o f OVH documentation at o ne moment.
If yo u are speaking about MAC addresses provided by OVH then yo u have br idge in mind and this is not the
subject of this article, ev en if some idea can be useful for other use.
It look like you have to take a leaf on another article/sample for your need.
Regards.
reply
http://blog.magiksys.net/comment/reply/38/315http://blog.magiksys.net/comment/315#comment-315http://blog.magiksys.net/comment/reply/38/314http://blog.magiksys.net/comment/314#comment-314http://blog.magiksys.net/comment/reply/38/313http://blog.magiksys.net/comment/313#comment-313http://blog.magiksys.net/comment/reply/38/312http://blog.magiksys.net/comment/312#comment-312http://blog.magiksys.net/comment/315#comment-315http://blog.magiksys.net/comment/314#comment-314http://blog.magiksys.net/comment/313#comment-313http://blog.magiksys.net/comment/312#comment-312 -
8/10/2019 Setup a PfSense 2 - Forward
9/11
-
8/10/2019 Setup a PfSense 2 - Forward
10/11
29/10/13 Setup a pfSense 2.0 firewall when defaul t gateway is on a different subnet | Alain Spineux
blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet 10/11
Mon, 06/04/2012 - 07:36
permal ink
aspineuxThu, 06/14/2012 -
16:58
permal ink
Charlie Came (not verified)Fri, 09/21/2012 - 00:57
permal ink
aspineuxMon, 09/24/2012 -
10:50
permal ink
Ignore that last comment
I have 3 v irtual switches configured in ESXi WAN, DMZ, LAN. Pfsense has interfaces co nnecting to eac h one
accordingly.
For the WAN interface I assigned a random IP like you did and added the gateway s with shellcmd, I also added
a virtual mac address which is setup on my ov h panel for .225(the IP of my DMZ interface)
For the DMZ interface I assigned 10.0.0.225/28 and setup the proxy arp on 1 0.0.0.224/28
LAN is default and using 192.16 8.1.1
I configured the NAT outbound rules as instructed above however I do not have any connection from the
firewall or lan clients, any ideas?
reply
I would check that the route
I would c heck that the ro ute added with shellcmd is still there. Reco nfiguring the WAN interface kill the route and
y ou hav e to res tart the ro ute r or add it b y hand . Did y ou make the righ t conv ersion whe n conv ert ing my 10.0.0. *
addresses to y ou IP range ? Reread all the article one more t ime.
I cannot help you more.
As y ou c ould gu ess r eading my art icle I made th e setup using try and e rro r. Of co urse I h av e a goo d knowled ge in
this stuff, and always find one solution for any problem. But I used the right tools for the diagnostic :
I would create a linux VM and connec t 3 interfaces to the 3 v irtual switches with unrelated addresses (ore carefully
choo se one, at least for LA N you c an always assign a "working" address) and start a tcpdump on eac h interface to see
packets going through the interfaces. Last I would try to follow request and reply packed between the interfaces,
chec k that IPs are always the one ex pected when reac hing/leaving an interface and adapt the firewall setup to reach
the expected result.
Good luck
reply
ARP requests
Thanks, this is very hepful. Prev iously I r eceiv ed a complaint from OVH that I was sending ARP requests
over the WAN as I had my WAN interface configured as x.x .x.x/24 so I could reach the gateway.
Using the guide I configured the WAn interface to be a / 32 and used yo ur routing and shellcmd trick to tell
pfsense where the default gateway ac tually was, worked a charm...
I now have a slightly different issue, I've assigned a second failover IP to the mac address of the WAN
interface which I did thro ugh the OVH portal. I then added this seco nd IP to the pfsense WAN interface as a
v irtu al IP (ty pe: I F Alias), again as a / 32. A dding it c ombine d with a NA T rule and i t wo rks, I'm now
accepting connections and making connections on the secondary IP.
A c ouple o f hou rs later , ano the r em ail fro m OVH complaining t hat t hey are see ing A RP req uests every 20
minutes hitting the default gateway.
Any ideas o n how to pre vent t his as I b elie ve th ey will b loc k all outb ound c onnec tio ns on the IP until i ts
resolved.
Thanks in advanc e,
Charlie
reply
Look at all routes related to
Look at all routes related to your wan interface, you must have only routes attached to IP having a mask equal to
/32 or the default route.But try to use tc pdump to know witch ARP is sent by y our FW, using something like this :
tcpdump -n -i em0 -p arp
Also loo k at al l r
It must be relate to o ne IP attached (one that is not /32) at y our WAN interface or to a route
http://blog.magiksys.net/comment/385#comment-385http://blog.magiksys.net/comment/reply/38/383http://blog.magiksys.net/comment/383#comment-383http://blog.magiksys.net/comment/reply/38/352http://blog.magiksys.net/comment/352#comment-352http://blog.magiksys.net/comment/reply/38/348http://blog.magiksys.net/comment/348#comment-348http://blog.magiksys.net/comment/385#comment-385http://blog.magiksys.net/comment/383#comment-383http://www.charliecame.com/http://blog.magiksys.net/comment/352#comment-352http://blog.magiksys.net/comment/348#comment-348 -
8/10/2019 Setup a PfSense 2 - Forward
11/11