Hi I need to give public SSH access to a box for a remote chap who does not have a static IP. I may be able to give him a PPTP user account connecting to the specified boxes IP. Boxes IP's are assigned using DHCP server.
I wish to maintain my security(!) The box he is getting access to is a test nix box, so if it gets trashed we can live with that. LAN1 is for my critical boxes. LAN2 is for printers, less critical PC's that could still harbour viruses and local guests. LAN3 is newly created for the above SSH access as the only way I can see to ring fence that box. LAN1 = 10.x.y.a /24 LAN2 = 10.x+1.y.b /24 LAN3 = 10.x+2.y.c /24 NAT access is provided to boxes on all LANx and that seems fine so not detailed further. Goals: 1) All LANx should have Internet access: Firewall: NAT: Outbound Interface WAN Source LANx (Rule repeated for each x) Source Port * Destination, Destination Port, NAT Address, NAT Port * Static Port No 2) LAN1 can access all of LAN2 (And can access LAN2 and LAN3 via any public NAT ports opened) including printers on LAN2. Windows PC's are on LAN1 and LAN2. It is preferable to have Win Net access from LAN1 to 2 but not the reverse. (Does not work) Firewall: Rules For LAN1: ALLOW Proto * Source LAN net Port * Destination * Port * Gateway * Schedule * Description LAN to any 3) LAN2 cannot access any other LAN except the network printers on LAN1. I understand the first rule is first processed, subsequent rules pick up the pieces that are left over and not already covered. Firewall: Rules For LAN2: BLOCK Proto * Source LAN2 net Port * Destination LAN1 address Port * Gateway * Schedule * Description Block All LAN2 to LAN1 ALLOW Proto * Source * Port * Destination * Port * Gateway * Schedule * Description LAN2 to Internet 4) LAN3 cannot access any other LAN Firewall: Rules For LAN3: BLOCK Proto * Source LAN3 net Port * Destination LAN1 address Port * Gateway * Schedule * Description Block All LAN3 to LAN1 (Could repeat for LAN2 also?) ALLOW Proto * Source * Port * Destination * Port * Gateway * Schedule * Description LAN3 to Internet I thought I'd configured the rules to allow this however from LAN3 I can view webpages on LAN1 and ping LAN1 addresses, which suggests to me my rules are not working and it would be premature to expose the box to the net! Can anyone tell me where my logic is failing? Kind regards David --------------------------------------------------------------------- To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
