Hi Jelmer, I prefer an enhanced solution: Have 3 Nics WAN, LAN and OPT1. use the LAN interface only for management of the firewall and have a bridge between WAN and OPT1, where the servers are.
bye Christoph On 16.09.2011 14:15 Jelmer Baas wrote: > Seth, > > Thank you for your quick response. What you describe looks exactly like what > I would like to implement! > > I'll give a shot asap. > > Thanks, > Jelmer > >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> On Behalf Of Seth Mos >> Sent: vrijdag 16 september 2011 14:14 >> To: pfSense support and discussion >> Subject: Re: [pfSense] Help with configuration of pfSense >> >> On 16-9-2011 13:53, Jelmer Baas wrote: >>> Hello everyone, >> >>> We would like to use a pfSense firewall to protect our internet-accessible >> IP range, say 82.94.x.y. I want to be able to define rules about who can >> access >> what port and what server (i.e., most of our current machines should be >> reached only by a small number of our customers on port 80 and 3389, the >> rest of the Internet must be blocked). >> >> That's normal, works fine. >> >>> Because of the number of incoming and outgoing connections I would >> prefer not to use NAT, so each machine has its own 82.94.x.y address, and >> pfSense would have to route the incoming packets to the proper machines. >> >> Go to NAT, Outbound NAT, toggle advanced mode, remove mappings. >> >>> This implies my WAN interface would be, for example, 82.94.0.1, and my >> LAN side would have 82.94.0.2, my first server would have 82.94.0.3 and so >> on. >> >> You can not use the same subnet on your WAN and LAN unless you bridge >> the LAN and WAN interface in pfSense, after which the firewall rules >> will apply normally. >> >>> However, when I set these values, I'm unable to ping the LAN interface, >> cannot access the config page, etc. All traffic is blocked, and PING and >> other >> requests to the LAN Side don't even show up in the filter log, but they do >> show up in the pftop option. >> >> Because if you have no NAT mappings it becomes a router and you can not >> use the same subnet on 2 interfaces. >> >>> I just found out that when I plug both the LAN and WAN into the same >> switch, the LAN side *is* accessible! >> >> Obviously. >> >>> Can anyone tell me if what I want is possible, and if so, how to configure >>> it? >> >> I think you want a filtering bridge, servers think they are talking >> directly to the internet, pfsense is in between filtering traffic. >> >> Assign no address to the LAN interface. Let the WAN have it's public >> address and then bridge the LAN and WAN interfaces under assign >> interfaces, bridges. >> >> Make sure to add firewall rules on the WAN to allow traffic in and >> firewall rules on the LAN to let the return traffic from the servers out. >> >> Regards, >> >> Seth >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
