I don't need the firewall features of pfsense in my application. The
firewall is 'upstream' of the pfsense box - in the ISP furnished
modem/router.
Please re-think your suggestions - with the pfsense firewall function
out of the picture.
Bob G
On 08/16/2014 03:37 PM, Espen Johansen wrote:
Nat traversal is trivial. Firewalling needs physical interfaces. Vlans
are possible but vlan jumping is also possible. Vlans to do different
zones (lan/wan lan/dmz dmz/wan) is not something I recommend as vlan
jumping can be done in most environments. In short. Forget an idea
where you firewall with a single interface. Even if this is only to
play with at home. Just dont. A vanilla linux/bsd will let you shoot
yourself in the foot. So you can do it there. But there are no
firewalls that will allow this with out 2 interfaces. Most require 2
physical, but some will allow for 2 or more vlans. Again, do not do it.
16. aug. 2014 22:13 skrev "Adam Thompson" <[email protected]
<mailto:[email protected]>> følgende:
On 14-08-16 01:13 PM, Espen Johansen wrote:
You would have to do a major code rewrite to get this done. And
it would be insecure and it would make no pf sense :-) this is
network basics. You dont seem to understand some network
fundamentals. Sorry but this is not doable without using vlans or
2 physical interfaces.
16. aug. 2014 20:06 skrev "Bob Gustafson" <[email protected]
<mailto:[email protected]>> følgende:
I'm interested in doing it all within the Alix using pfsense.
A minimum hardware approach.
Think of my WAN mentioned below as the LAN network created by
the modem/router furnished by the ISP and the LAN mentioned
below as devices also connected to the back end of the
modem/router, but not accessible by the modem/router. Only by
LAN/pfsense.
Bob G
I would like to pass WAN packets (192.168.1.0/24
<http://192.168.1.0/24>) and LAN packets (192.168.2.0/24
<http://192.168.2.0/24>) through the same connector.
pfsense would provide the NAT and firewalling within the
box.
To clarify Espen's comments : yes, it is possible to run two
subnets on the same wire.
Any _router_ can route between two subnets on the same wire (or
the same VLAN, same thing - technically the same "broadcast domain").
A _firewall_, however, will refuse to do so because it's
nonsensical from a security perspective.
So pfSense is a router, yes, but it is also a firewall, and in
areas where those two roles conflict, the firewall role wins.
As previously pointed out, you can't usefully use pf(4) in the
circumstance you describe.
It is technically possible, on some platforms, to perform NAT
between the two subnets. It would be possible, AFAIK, to manually
craft a pf rule that does this; it is not possible to get the
pfSense GUI to generate that rule. That's where the "major code
rewrite" comes into play.
I'm not aware of any firewall GUI that will let you do this - and
for a good reason! By hooking your LAN up directly to the WAN,
you're effectively eliminating 99% of the security a firewall
gives you. (And, yes, it is possible to directly attack private
IP addresses on most ISPs.)
If you're determined to deploy this model, you'll have to run a
bare OS that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and
configure the networking stack and NAT rules by hand.
--
-Adam Thompson
[email protected] <mailto:[email protected]>
_______________________________________________
List mailing list
[email protected] <mailto:[email protected]>
https://lists.pfsense.org/mailman/listinfo/list
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
