Re: [pfSense] nat or routing?

Moshe Katz Fri, 09 Sep 2016 07:36:17 -0700

Pol,

In this case, all you should need is the appropriate firewall rules (and
simple routing). NAT is not required, and would actually complicate your
setup.


If you pfSense is already set up as the gateway for each LAN, then no
additional routing setup is required.

All you need to do is create rules on each LAN interface that allow
incoming traffic from the other LAN.

Here are some example rules that permit all traffic between the two LANs. *If
you want to keep your LANs separate for security reasons, you should not
use these rules. You should use rules that only allow the services that you
need.*


   - Rule on LAN1 interface:
      - Action: "Pass"
      - Source: "LAN1 net"
      - Destination: "LAN2 net"
   - Rule on LAN2 interface:
      - Action: "Pass"
      - Source: "LAN2 net"
      - Destination: "LAN1 net"

If you know that you only need certain IP addresses (i.e. just the servers)
and/or certain ports (e.g. web, ftp, ssh, etc.) to be open, you should
limit to those ports. If you have multiple servers that should have the
same rules, you can create aliases to make the rules easier to manage.

Here is an example of a portion of the rules we use on our guest WiFi
network (our LAN3) to allow users of that WiFi to access services on our
servers:

   - IP alias named "HostsWebAllowedFromWifi":
      - Server IPs on LAN1
   - Ports alias named "PortsWebAllowedFromWifi"
      - 80
      - 443
   - IP alias named "HostsSSHAllowedFromWifi"
   - Server IPs on LAN1
   - Ports alias named "PortsSSHAllowedFromWifi"
      - 22
      - (A secret alternate SSH port that most of our servers use)


   - Rule on LAN3 interface (our guest WiFi):
      - Action: "Pass"
      - Source: "LAN3 net"
      - Destination: "HostsWebAllowedFromWifi"
      - Destination Port Range: "PortsWebAllowedFromWifi"
   - Rule on LAN3 interface (our guest WiFi):
      - Action: "Pass"
      - Source: "LAN3 net"
      - Destination: "HostsSSHAllowedFromWifi"
      - Destination Port Range: "PortsSSHAllowedFromWifi"


Hope that helps,

Moshe

--
Moshe Katz
-- mo...@ymkatz.net
-- +1(301)867-3732

On Fri, Sep 9, 2016 at 9:01 AM, Pol Hallen <pfsens...@fuckaround.org> wrote:

> Hi all :-)
>
> I need to allow traffic from lan1 and lan2 and vice-versa
>
> wan has 192.168.5.0/30
> lan1 has 192.168.10.0/24
> lan2 has 192.168.1.0/24
>
> wan <---> lan1 <---> switch <---> server <---> clients (same network)
>           lan2 <---> switch <---> server <---> clients (same network)
>
> do I need to use NAT (which one?) or only PF rules?
>
> How allow lan1 and lan2 to communicate?
>
> ping between lan1 and lan2 works but traceroute no :-/
>
> thanks for help!
>
> Pol
> _______________________________________________
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] nat or routing?

Reply via email to