On Wed, Mar 25, 2009 at 12:01 PM, Mike Ashton <[email protected]> wrote: > Dave, > > Thanks for the presentation, well done. One quick request, could you also > forward the link that was mentioned on network design best practises?
Hi Mike, We had some discussion about IP numbering schemes and how bad decisions can lead to problems with VPN access. I mentioned a thread in the pfSense list but I didn't have any specific resources in mind. I've pasted the thread below. If that's not what you were asking about, let me know and I'll answer the right question. :-) Forwarded conversation Subject: [pfSense Support] Simple Firewall that needs to allow VPN access to the network and a VLAN on the network. ------------------------ From: Chuck Mariotti <[email protected]> Date: Fri, Feb 27, 2009 at 5:36 PM To: "[email protected]" <[email protected]> I have a firewall that needs replacing on short notice and I would like to use pfSense. The network is 192.168.1.x... (Servers, Printers, etc...) there is a VLAN on that same network (for their Nortel BCM / phones) that is 192.168.200.x. I want to be able to VPN into a pfSense box, and access everything on the 192.168.1.x and the 192.168.200.x networks. Basically, we'd like to get people working from home using VoIP Softphones accessing the BCM and at the same time, the network equipment. I've never needed to do this before (getting VPN access into the first network is easy enough) so how or where would I do this to access the VLAN as well? If I remember when I do a fresh install, it asks to create VLANs... Is this where I would define the 192.168.200.x network? That network already exists and I think is defined in the Ethernet Switch. Would this conflict or is this on the right track? Would I need another Ethernet Port (so three) on the pfSense box to simplify this? Or does the VLAN just show up as if it is another LAN port in pfSense? One last question on VPN's. I recall way back that having a remote user on a network with 192.168.1.x series trying to VPN into another network with the same number scheme, would cause conflicts and problems (basically mixing up thinking they're on the same subnet). I haven't used the 192.168 series of IPs for that one reason for the past 10+ years (all the Linksys/Dlink/consumer stuff does by default). Is this still the case? Any advice would be appreciated. Regards, Chuck --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org ---------- From: Dave Donovan <[email protected]> Date: Fri, Feb 27, 2009 at 7:16 PM To: [email protected] Chuck, >From my experience, you're likely to have problems accessing that 192.168.1.x network. When I moved to my current employer, I inherited a network with that numbering scheme and it was a frequent problem, especially with users at hotels and other hotspots which favoured that number range. (I know that's not exactly your application) There are just too many Linksys, D-Link and other such devices out there using those numbers. I the we were able to address the problem for some users by adding a route to their windows box that aimed at a specific machine (like the file server where their home drive lived). If the file server was 192.168.1.10, we would send them home with a batch file that looked like: REM Allow users with overlapping IP scheme to connect to fileserver at MyCompany REM Add a route that tells the local PC to go over the VPN for the filserver route add 192.168.1.10 mask 255.255.255.255 gateway [far end of VPN] metric 1 Then we could map a drive to a share on \\192.168.1.10. That's just from memory so I wouldn't bet my life on the syntax. This is on an IP by IP basis and if you want to access dozens of printers, servers and other resources, it's going to be a problem nuisance and you increase the risk of overlapping an IP that the home user is actually using on their net. We ended up renumbering our network into the 172.x.y.z scheme and it solved those issues. I'd still avoid 172.16 because lots of people use it and if you ever want to interoperate, you might be running into the same issues. Off the top of my head I think values of 16-31 are valid for the second octet. Sorry, not guidance here on the VLAN issues. Best Regards, Dave ---------- From: Chuck Mariotti <[email protected]> Date: Fri, Feb 27, 2009 at 8:39 PM To: "[email protected]" <[email protected]> Ya, I thought so. Can you believe Bell set this network up. They are on CRACK. That's the first thing I thought, wow, this is a beginner's mistake. Well, I think I will tell him that I want to renumber the network, maybe I can somehow do it just to the 192.168.1.x and leave the telecom VLAN 192.168.200.x... I've always used the 10.x.x.x series... it's the least characters.... 10.10.9.9, etc... Thanks for the confirmation. Regards, Chuck ---------- From: Ho Sy Tan <[email protected]> Date: Sun, Mar 1, 2009 at 11:26 PM To: [email protected] I want to build a pfSense .iso to setup on my system from pfsense source ? Who can help me with? I try to follow the instructions in http://devwiki.pfsense.org/DevelopersBootStrapAndDevIso but some errors was happening. Can anyone show me how to follow instructions this? ---------- From: Paul Mansfield <[email protected]> Date: Mon, Mar 2, 2009 at 6:23 AM To: [email protected] RFC1918 says you should pick a *random* entry from one of the ranges, so that if two organisations merge there's less chance or a numbering collisions. ---------- From: Abdulrehman <[email protected]> Date: Mon, Mar 2, 2009 at 6:32 AM To: [email protected] RFC is right...but it takes more of common sense than technicality..! Regards Abdulrehman --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
