Re: [pfSense] Gateway on a gateway...
Hello, you can use pfSense as a BGP Router. There is a paket you can install. Also you can ask your ISP about the use of the Dynamic Routing Protokoll. Kind Regards Klaus > Am 17.05.2014 um 20:14 schrieb "J. Echter" > : > > Am 17.05.2014 08:25, schrieb faisal.gill...@akesp.org: >> Thank you for replying MoJo .. >> So you recommend me removing pfsense acting as static routes router with >> real hardware routers ? Or ur asking me to add dynamic routing functionality >> to pfsense ? >> >> Thanks >> Faisal >> >> >> Sent from my HTC >> >> - Reply message - >> From: "mOjO" >> To: "pfSense Support and Discussion Mailing List" , >> "dragonator" >> Subject: [pfSense]Gateway on a gateway... >> Date: Sat, May 17, 2014 10:07 AM >> >> On the pfSense firewall? Nothing. >> You need to change your routers. >> Ideally, your MPLS routers are using BGP. Then on the site 1 router under >> the BGP section you can tell it to advertise the 0.0.0.0 route by adding >> "network 0.0.0.0" and make sure you have a static route on that router for >> 0.0.0.0 to the firewall. Site 2 should then use the MPLS router as their >> default gateway instead of the firewall. As an added bonus you can have >> site 2 failover to their local internet when the MPLS is down by adding a >> lower metric (255) default route that will kick in when the BGP advertised >> route disappears when the MPLS goes down. >> >> >> >> - Reply message - >> From: "faisal.gill...@akesp.org" >> To: "dragonator" , >> Subject: [pfSense]Gateway on a gateway... >> Date: Fri, May 16, 2014 11:27 PM >> >> When i try to do this .. Pfsense gives me error that firewall is not local >> to my subnet which is .. >> 172.16.1.16 on subnet 255.255.248.0 >> Branch router is on 172.16.11.0/24 which connects to firewall subnet via >> MPLS provider router i.e 10.152.8.117/30 >> >> So what to do ? >> >> Regards >> >> Sent from my HTC >> >> - Reply message - >> From: "dragonator" >> To: , >> Subject: [pfSense] Gateway on a gateway... >> Date: Sat, May 17, 2014 12:51 AM >> >> Change route on the site 2 gateway to route all traffic to that firewall. >> >> >> Sent via the Samsung Galaxy S™ III, an AT&T 4G LTE smartphone >> >> >> >> Original message >> From: faisal.gill...@akesp.org >> Date: 05/15/2014 19:39 (GMT-05:00) >> To: pfSense Support and Discussion Mailing List >> Subject: [pfSense] Gateway on a gateway... >> >> >> II have two networks connected together with an MPLS network all the clients >> on both networks can access each other. >> Site 1( 172.16.0.0/21) has a packet filtering multi WAN firewall >> (172.16.1.16) on its local subnet which local clients connect to use >> internet. >> Site 2 (172.16.11.0/24) clients connects to local router (172.16.11.17) >> which routes all site 1 destend traffic to site 1 router (172.16.0.17). all >> site 2 clients have the ip of site 2 router which is (172.16.11.17) in their >> default gateway. >> >> Now i want clients on site 2 to use my packet filtering firewall >> (172.16.1.16) for their internet needs so how do i define this which out >> breaking the already communication >> can anyone guide me in this ? >> >> >> Sent from my HTC >> >> ___ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list >> >> >> >> ___ >> List mailing list >> List@lists.pfsense.org >> https://lists.pfsense.org/mailman/listinfo/list > anyone able to reply to the list? > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list smime.p7s Description: S/MIME cryptographic signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] using Pfsense as a router
Hello, First of all I have a Question. Your booth Sites use overlapping Subnets. Is it a typing error? To come to you Routing Question. In future, are there more branch Offices scheduled? I think in this case a Dynamic Routing Protocol is perfekt (OSPF / BGP) In the other case the simplest solution is to use Static Routing. Regards Klaus Von meinem iPhone gesendet > Am 14.05.2014 um 06:17 schrieb "Faisal Gillani" : > > Hello All > > I am trying to use Pfsense as my premier router to connect my office with > other branch offices on a provider's layer 3 MPLS network. > I have disabled all NAT and packet filtering on both of my Pfsense boxes. > Also uncheck block private schemes on my WAN interfaces as the ip schemes my > MPLS provider uses are private ones. > > Below is my scenario all I want is help what to define in my static routes > or should I use dynamic routing protocols for this ? > > IP Settings given by MPLS provider > > Site 1 > IP 10.152.8.130 > Subnet 255.255.255.252 > GW 10.152.8.129 > > Site 2 > IP 10.152.8.118 > Subnet 255.255.255.252 > GW 10.152.8.117 > > Local Network IP settings > > Site 1 > IP 172.16.0.0 > Subnet 255.255.0.0 > All clients in Site 1 use 172.16.1.16 (Pfsense) as its default gateway it is > also connected with MPLS network with above given settings > > Site 2 > IP 172.16.11.0 > Subnet 255.255.0.0 > All clients in Site 2 use 172.16.11.17 (Pfsense) as its default gateway it > is also connected with MPLS network with above given settings > > Requirement > > .Clients on both sites should be able to access each other. > .Clients on both the Sites should use 172.16.1.16 for their internet > needs > > Thanks > Faisal > > > ___ > List mailing list > List@lists.pfsense.org > https://lists.pfsense.org/mailman/listinfo/list smime.p7s Description: S/MIME cryptographic signature ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] [SPAM] Help in port Forwarding configuration
Hi, I have edit your table. I think it have to look like this. Do you want to use the Port 3001 for the external IPs? Regards Klaus > Hi, > > i'm currently using pfsense 2.0 for my system LAN firewall for 3 years now > and been having problems configuring it right to port forward a static > external IP adress of our remote test site server to NAT it with one of my > server LAN IP address. > > Below is the table of how I configure it so the 2 external IP address > (59.160.200.199 and 200.6.14.60) on port 5001 can communicate with my LAN > server IP address 192.168.9.10 > > Pfsense Version 2.0 > > Firewall: Rules > > Protocol > Source > Port > Destination > Port > Gateway > Schedule > Description > TCP > any > any > 59.160.200.199 > 3001 > Any > > NAT > TCP > any > any > 200.6.14.60 > 3001 > Any > > NAT > > > Firewall: NAT: Port Forward > > If > Protocol > Source address > Source port > Destination address > Destination port > NAT IP > NAT port > WAN > TCP > any > any >> 59.160.200.199 > > 3001 > 192.168.9.10 > 5001 > WAN > TCP > any > any >> 200.6.14.60 > > 3001 > 192.168.9.10 > 5001 > > > Attached please find my Network setup. > > Please advise is the correct way to configure port forward on a pfsense using > an 2 external remote IP address to talk with my LAN server machine. > > > > Thanks > > > > Joseph. > > > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Several sites: How to route Internet-bound traffic of a host at site A through site B
Hi, I think the IP in the NAT rule should be the IP of the Firewall of Site B. You can make a rule in the accesslist to deny the ip 192.168.10.197 to use internet from Site B. Kind Regards Klaus Nadine Schlüter schrieb: >Hi, > >the network at site A is 192.168.10.0/24. H is 192.168.10.197. > >Site B's network is 192.168.0.0/24. > >The tunnel (TUN1) between the two is > > <-10.0.9.2--- tunnel ---10.0.9.1-> > >The NAT rule (first in my NAT list) is: > >Interface: TUN1 >Protocol: any >Source: Network 192.168.10.197/32 > Port >Destination: >Translation: Interface address (so the IP should be 10.0.9.2) > Port: > >Looks like this in the list (top two entries) > >Interface:TUN1 >Source: 192.168.10.197/32 >Source Port: * >Destination: * >Destination Port * >NAT Address: * >NAT Port * >Static Port No >Description Translate smack's traffic to TUN1 IP > > >Interface:WAN >Source: 192.168.10.0/24 >Source Port: * >Destination: * >Destination Port * >NAT Address: * >NAT Port * >Static Port No >Description Translate 192.168.10.x to WAN IP > >To me it seems the new (first rule) is completely ignored and rule 2 is used. > >Cheers, >Nadine > > Original-Nachricht >> Datum: Fri, 6 Apr 2012 17:58:49 +0200 >> Von: Klaus Wunder >> An: pfSense support and discussion >> Betreff: Re: [pfSense] Several sites: How to route Internet-bound traffic of >> a host at site A through site B > >> Hi, >> >> what is you translation address in the NAT rule? The Interface Address of >> Firewall B? >> Have you disabled Automatic NAT rule generation? >> >> Kind Regards >> >> Klaus Wunder >> >> >> Von meinem iPhone gesendet >> >> Am 06.04.2012 um 17:30 schrieb "Nadine Schlüter" >> : >> >> > Hi, >> > >> > I'm running several pfSense ALIX Boxes at different locations. Each box >> > has a direct Internet connection (WAN) and runs OpenVPN Tunnels to other >> > sites. Works all fine. >> > >> > Now I want to route all Internet-bound traffic of one (and only one!) >> > host H from site A through site B's pfSense box to the Internet. Is >> > there a way to do this? >> > >> > I tried setting up a special outbound NAT rule for H at site A's >> > pfSense box, which essentially is /32 -> > > Interface IP>. But this did not have any effect. >> > >> > Of course there is another NAT rule already in place that translates >> > anything from site A's private network to the local WAN address. >> > However, I put the special NAT rule for H as the first in the NAT rule >> > list, hoping that it matches first and will therefore be preferred. >> > However, if I traceroute from H to a machine outside (say 8.8.8.8) I can >> > still see the traffic going out through site A's WAN interface - never >> > getting into any tunnel. >> > >> > The tricky bit is that host H's traffic is for the Internet. I can >> > reach hosts at other sites without problems (static routes and tunnel >> > NATs is place). >> > >> > Has anyone here done this before? I would greatly appreciate some >> > advice on this... >> > >> > Cheers, >> > Nadine >> > -- >> > NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! >> >> > Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a >> > ___ >> > List mailing list >> > List@lists.pfsense.org >> > http://lists.pfsense.org/mailman/listinfo/list >> >> ___ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list > >-- >Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir >belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de >___ >List mailing list >List@lists.pfsense.org >http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Several sites: How to route Internet-bound traffic of a host at site A through site B
Hi, what is you translation address in the NAT rule? The Interface Address of Firewall B? Have you disabled Automatic NAT rule generation? Kind Regards Klaus Wunder Von meinem iPhone gesendet Am 06.04.2012 um 17:30 schrieb "Nadine Schlüter" : > Hi, > > I'm running several pfSense ALIX Boxes at different locations. Each box > has a direct Internet connection (WAN) and runs OpenVPN Tunnels to other > sites. Works all fine. > > Now I want to route all Internet-bound traffic of one (and only one!) > host H from site A through site B's pfSense box to the Internet. Is > there a way to do this? > > I tried setting up a special outbound NAT rule for H at site A's > pfSense box, which essentially is /32 -> Interface IP>. But this did not have any effect. > > Of course there is another NAT rule already in place that translates > anything from site A's private network to the local WAN address. > However, I put the special NAT rule for H as the first in the NAT rule > list, hoping that it matches first and will therefore be preferred. > However, if I traceroute from H to a machine outside (say 8.8.8.8) I can > still see the traffic going out through site A's WAN interface - never > getting into any tunnel. > > The tricky bit is that host H's traffic is for the Internet. I can > reach hosts at other sites without problems (static routes and tunnel > NATs is place). > > Has anyone here done this before? I would greatly appreciate some > advice on this... > > Cheers, > Nadine > -- > NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! > > Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Outbound NAT inside ipsec tunnel?
Hi, can you sent us the requirements. Normely there is no problem building a IPSec connection between an IOS device an pfSense. Kind Regards Am 19.10.2011 um 13:30 schrieb Ståle Johnsen : > Hi, > > We are running pfsense 2.0 on our site and we are trying to establish an > ipsec to a partner with cisco ios. The problem is that the cisco side have > some requirements: > - All traffic from our side has to come from an public ip. > > Meaning we have some servers on our local subnet that needs to send traffic > over the ipsec but the traffic has to come from an public ip instead of the > local lan ip of the server. Is that possible with pfsense 2.0? I have done > some tests with manual outbound nat rules with the following mapping: > Interface: WAN Source: Lan subnet Source port: * Destination: * Destination: > 500 NAT Address: virtual ip (public) NAT Port: * Static port: YES > > But when I for example connect to rdp to a server over the ipsec, it's > traffic from the lan subnet ip from our site that is logged, not the virtual > public ip. I tried an outbound rule just from LAN to WAN and to use the > virtual ip as nat address and that worked as expected. whatismyip.com showed > the virtual ip instead of the real wan ip. > > So i'm just wondering if anyone here knows how to do this or if it even is > possible at all? > > Thanks in advance > ___ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
