[pfSense] secure management access on transparent bridge firewall
Hi, We are providing Internet access to coop housing (50 units) We have a transit access to the exchange via Fiber and a /26 public IPV4 addresses. I purchased a Netgate C2758 router to be able to do limiter and traffic shaping at rush hour. I did set-up a transparent bridge and everything works fine so far. This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600 wireless router with static address. I need to secure the management interface to the pfSense and to the switches. I could make a rule to let access only to a fixed IP source, but I travel a lot and need flexibility. The best for me would be on openvpn. Is this possible without a lan ? , or ? Thank you, Richard ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] secure management access on transparent bridge firewall
Management VLAN. On Dec 8, 2014, at 9:08 AM, Richard Lussier richard.luss...@inter-node.com wrote: Hi, We are providing Internet access to coop housing (50 units) We have a transit access to the exchange via Fiber and a /26 public IPV4 addresses. I purchased a Netgate C2758 router to be able to do limiter and traffic shaping at rush hour. I did set-up a transparent bridge and everything works fine so far. This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600 wireless router with static address. I need to secure the management interface to the pfSense and to the switches. I could make a rule to let access only to a fixed IP source, but I travel a lot and need flexibility. The best for me would be on openvpn. Is this possible without a lan ? , or ? Thank you, Richard ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] secure management access on transparent bridge firewall
Hi Chris, Do you mean to redirect the vpn to the management vlan ? Thank you Richard On 2014-12-08 13:12, Chris L wrote: Management VLAN. On Dec 8, 2014, at 9:08 AM, Richard Lussier richard.luss...@inter-node.com wrote: Hi, We are providing Internet access to coop housing (50 units) We have a transit access to the exchange via Fiber and a /26 public IPV4 addresses. I purchased a Netgate C2758 router to be able to do limiter and traffic shaping at rush hour. I did set-up a transparent bridge and everything works fine so far. This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600 wireless router with static address. I need to secure the management interface to the pfSense and to the switches. I could make a rule to let access only to a fixed IP source, but I travel a lot and need flexibility. The best for me would be on openvpn. Is this possible without a lan ? , or ? Thank you, Richard ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Richard Lussier *inter-node.com* réseaux numériques évolutifs cuivre – sans-fil – fibre optique t. 514.316.1623 c. 514.574.5111 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] secure management access on transparent bridge firewall
I think what he means is to set up an isolated management VLAN, then you VPN into your pfSense box and get access to the management VLAN. -A On Mon, Dec 8, 2014 at 11:10 AM, Richard Lussier richard.luss...@inter-node.com wrote: Hi Chris, Do you mean to redirect the vpn to the management vlan ? Thank you Richard On 2014-12-08 13:12, Chris L wrote: Management VLAN. On Dec 8, 2014, at 9:08 AM, Richard Lussier richard.luss...@inter-node.com wrote: Hi, We are providing Internet access to coop housing (50 units) We have a transit access to the exchange via Fiber and a /26 public IPV4 addresses. I purchased a Netgate C2758 router to be able to do limiter and traffic shaping at rush hour. I did set-up a transparent bridge and everything works fine so far. This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600 wireless router with static address. I need to secure the management interface to the pfSense and to the switches. I could make a rule to let access only to a fixed IP source, but I travel a lot and need flexibility. The best for me would be on openvpn. Is this possible without a lan ? , or ? Thank you, Richard ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Richard Lussier inter-node.com réseaux numériques évolutifs cuivre – sans-fil – fibre optique t. 514.316.1623 c. 514.574.5111 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] secure management access on transparent bridge firewall
Thank you Chris !! I will try this as soon as I can and give feedback !! Regards Richard On 2014-12-08 16:38, Chris L wrote: No have a management VLAN that’s protected from user traffic but that the management interfaces listen on. I don’t know if the TP-Link or other cheaper gear will support a management VLAN. The VPN you use could have access to that VLAN as well. It makes it so user traffic cannot “hit” the management ports. For instance. Create a VLAN tagged interface, say em0_vlan199 Create a VLAN tagged interface for the LAN side of your transparent proxy, say 100. You would then bridge WAN with em0_vlan100 instead of with em0. Assign a management interface to em0_vlan_199. Give it an IP, dhcp, etc. connect your switches to pfSense with trunk ports with tagged VLANs 100 and 199. Set the switches to management VLAN 199, create a vlan interface with an IP address in the right network. Make sure your bridge has: Block any source BRIDGE0 net dest MGMT net Block any source BRIDGE0 net dest (all pfsense IP addresses) port webmgmt and ssh ports etc... On Dec 8, 2014, at 11:10 AM, Richard Lussier richard.luss...@inter-node.com wrote: Hi Chris, Do you mean to redirect the vpn to the management vlan ? Thank you Richard On 2014-12-08 13:12, Chris L wrote: Management VLAN. On Dec 8, 2014, at 9:08 AM, Richard Lussier richard.luss...@inter-node.com wrote: Hi, We are providing Internet access to coop housing (50 units) We have a transit access to the exchange via Fiber and a /26 public IPV4 addresses. I purchased a Netgate C2758 router to be able to do limiter and traffic shaping at rush hour. I did set-up a transparent bridge and everything works fine so far. This feeds two Cisco SF300 Switches, and each unit has a tp-link wdr3600 wireless router with static address. I need to secure the management interface to the pfSense and to the switches. I could make a rule to let access only to a fixed IP source, but I travel a lot and need flexibility. The best for me would be on openvpn. Is this possible without a lan ? , or ? Thank you, Richard ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list -- Richard Lussier inter-node.com réseaux numériques évolutifs cuivre – sans-fil – fibre optique t. 514.316.1623 c. 514.574.5111 -- Richard Lussier *inter-node.com* réseaux numériques évolutifs cuivre – sans-fil – fibre optique t. 514.316.1623 c. 514.574.5111 ___ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list