On 10 February 2017 at 22:24, Karl Fife <[email protected]> wrote: > I presume your ISP gave you a tunnel network and a public /28, and you're > trying to use the IP's in the /28. Until recently, you had been binding > the tunnel network interfaces directly to your 'wan'. >
No, no tunnel involved. > > You should probably be running a second router. The rationale is trust > levels. The first router can function as a DMZ four your hosts that are on > public interfaces. Because the trust levels between your public subnet and > your LANS are significantly different, you don't want a configuration that > opens your LAN to the world if you make a even the most minor configuration > error. Your second router can function as a firewall for your user-LANs, > and the firwall's WAN will be a LAN IP in your public /30. You can still > do multi-WAN on your firewall. Our DMZ is served by a 6-interface Lanner > FW-7541D which allows me different policies for different physical > interfaces. > The way you have drawn your sketch makes me think you conceptualize the > two ISP interfaces as being 'outside', and your 'lans' are 'inside'. That > idea is wrong, and will get you into trouble. To deliberately use the > language of that wrong concept, any interface allowed to talk to the world > (any) is completely and utterly "inside" (including your public /28). This > is true unless you carefully and iteratively block egress TO any/every > LAN,LAN2,Tunnel,VPN etc.. It is error-prone and fussy especially as you > add interfaces/VLANS/VPN's. You can simplify things somewhat with > floating rules and interface group rules, but the ease with which it does > something you don't expect is counter-intuitive. > While I appreciate that you're trying to be helpful, you haven't actually addressed the core problem, which is that pfsense doesn't seem to be routing between interfaces. The problem holds true regardless of the addresses involved. I see that you're in the "NAT is security" camp, which is unfortunately a misinformed way to approach network security. NAT provides no security in and of itself.. what you're benefitting from there is the implicit IP ACL. ACLs themselves aren't difficult unless you don't have a clear idea of what's running on your network, and then I agree it's easy to miss things. You clearly haven't operated an IPv6 network where there are no NATs, and everything is a routable address. You're going to have to get past that mental block in the next few years if you're operating anything other than a residential network. Good luck. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
