Then don't use pfSense - that's simple.
Like I said in a previous email, feel free to do this with your choice of OS.
PfSense doesn't give you quite enough rope to do what you want.
-Adam
On August 16, 2014 11:09:20 PM CDT, Bob Gustafson <[email protected]> wrote:
>I don't need the firewall features of pfsense in my application. The
>firewall is 'upstream' of the pfsense box - in the ISP furnished
>modem/router.
>
>Please re-think your suggestions - with the pfsense firewall function
>out of the picture.
>
>Bob G
>
>On 08/16/2014 03:37 PM, Espen Johansen wrote:
>>
>> Nat traversal is trivial. Firewalling needs physical interfaces.
>Vlans
>> are possible but vlan jumping is also possible. Vlans to do different
>
>> zones (lan/wan lan/dmz dmz/wan) is not something I recommend as vlan
>> jumping can be done in most environments. In short. Forget an idea
>> where you firewall with a single interface. Even if this is only to
>> play with at home. Just dont. A vanilla linux/bsd will let you shoot
>> yourself in the foot. So you can do it there. But there are no
>> firewalls that will allow this with out 2 interfaces. Most require 2
>> physical, but some will allow for 2 or more vlans. Again, do not do
>it.
>>
>> 16. aug. 2014 22:13 skrev "Adam Thompson" <[email protected]
>> <mailto:[email protected]>> følgende:
>>
>> On 14-08-16 01:13 PM, Espen Johansen wrote:
>>>
>>> You would have to do a major code rewrite to get this done. And
>>> it would be insecure and it would make no pf sense :-) this is
>>> network basics. You dont seem to understand some network
>>> fundamentals. Sorry but this is not doable without using vlans
>or
>>> 2 physical interfaces.
>>>
>>> 16. aug. 2014 20:06 skrev "Bob Gustafson" <[email protected]
>>> <mailto:[email protected]>> følgende:
>>>
>>> I'm interested in doing it all within the Alix using
>pfsense.
>>> A minimum hardware approach.
>>>
>>> Think of my WAN mentioned below as the LAN network created
>by
>>> the modem/router furnished by the ISP and the LAN mentioned
>>> below as devices also connected to the back end of the
>>> modem/router, but not accessible by the modem/router. Only
>by
>>> LAN/pfsense.
>>>
>>> Bob G
>>>>
>>>> I would like to pass WAN packets (192.168.1.0/24
>>>> <http://192.168.1.0/24>) and LAN packets
>(192.168.2.0/24
>>>> <http://192.168.2.0/24>) through the same connector.
>>>>
>>>> pfsense would provide the NAT and firewalling within
>the
>>>> box.
>>>>
>>
>> To clarify Espen's comments : yes, it is possible to run two
>> subnets on the same wire.
>> Any _router_ can route between two subnets on the same wire (or
>> the same VLAN, same thing - technically the same "broadcast
>domain").
>> A _firewall_, however, will refuse to do so because it's
>> nonsensical from a security perspective.
>> So pfSense is a router, yes, but it is also a firewall, and in
>> areas where those two roles conflict, the firewall role wins.
>> As previously pointed out, you can't usefully use pf(4) in the
>> circumstance you describe.
>> It is technically possible, on some platforms, to perform NAT
>> between the two subnets. It would be possible, AFAIK, to
>manually
>> craft a pf rule that does this; it is not possible to get the
>> pfSense GUI to generate that rule. That's where the "major code
>> rewrite" comes into play.
>>
>> I'm not aware of any firewall GUI that will let you do this - and
>> for a good reason! By hooking your LAN up directly to the WAN,
>> you're effectively eliminating 99% of the security a firewall
>> gives you. (And, yes, it is possible to directly attack private
>> IP addresses on most ISPs.)
>>
>> If you're determined to deploy this model, you'll have to run a
>> bare OS that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and
>> configure the networking stack and NAT rules by hand.
>>
>> --
>> -Adam Thompson
>> [email protected] <mailto:[email protected]>
>>
>>
>> _______________________________________________
>> List mailing list
>> [email protected] <mailto:[email protected]>
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>>
>>
>> _______________________________________________
>> List mailing list
>> [email protected]
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>List mailing list
>[email protected]
>https://lists.pfsense.org/mailman/listinfo/list
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
List mailing list
[email protected]
https://lists.pfsense.org/mailman/listinfo/list
