Re: [pfSense] Migration from an old linux firewall

2017-03-30 Thread Eero Volotinen 
ok. that sounds really bad: http://dilbert.com/strip/1998-08-24

Eero

30.3.2017 5.40 ip. "Claudio M."  kirjoitti:

> In data mercoledì 29 marzo 2017 10:13:36, WebDawg ha scritto:
> > You can do two different subnets on one network, but it is not the way to
> > do things.  Everyone can imagine the issues but it would also be
> completely
> > insecure.
>
> Unfortunately I can not change the network, I am a consultant who handles
> only
> the firewall. I know that this solution is not safe, but the customer does
> not
> want to change this configuration because another external company that
> manages
> internal servers want so.
> We manage the firewalls so we have to solve this situation.
> Now i'll try to use a internal linux server how a gateway to forwards all
> packets for the 10.7.13.0/24 creating a routing roule so i can use the
> rules
> explained in the pfsense site
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Migration from an old linux firewall

2017-03-30 Thread WebDawg 
On Thu, Mar 30, 2017 at 9:39 AM, Claudio M.  wrote:

> In data mercoledì 29 marzo 2017 10:13:36, WebDawg ha scritto:
> > You can do two different subnets on one network, but it is not the way to
> > do things.  Everyone can imagine the issues but it would also be
> completely
> > insecure.
>
> Unfortunately I can not change the network, I am a consultant who handles
> only
> the firewall. I know that this solution is not safe, but the customer does
> not
> want to change this configuration because another external company that
> manages
> internal servers want so.
> We manage the firewalls so we have to solve this situation.
> Now i'll try to use a internal linux server how a gateway to forwards all
> packets for the 10.7.13.0/24 creating a routing roule so i can use the
> rules
> explained in the pfsense site
>
> ___
>
>
That is crazy man.
http://serverfault.com/questions/25907/what-are-the-implications-of-having-two-subnets-on-the-same-switch


I mean, they midas well just put all the hosts on the same subnet.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Migration from an old linux firewall

2017-03-30 Thread Claudio M. 
In data mercoledì 29 marzo 2017 10:13:36, WebDawg ha scritto:
> You can do two different subnets on one network, but it is not the way to
> do things.  Everyone can imagine the issues but it would also be completely
> insecure.

Unfortunately I can not change the network, I am a consultant who handles only 
the firewall. I know that this solution is not safe, but the customer does not 
want to change this configuration because another external company that manages 
internal servers want so.
We manage the firewalls so we have to solve this situation.
Now i'll try to use a internal linux server how a gateway to forwards all 
packets for the 10.7.13.0/24 creating a routing roule so i can use the rules 
explained in the pfsense site

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Migration from an old linux firewall

2017-03-29 Thread WebDawg 
On Wed, Mar 29, 2017 at 8:41 AM, Moshe Katz  wrote:

> I'm not entirely sure how you had this working with your old firewall - I
> would think it would have the same issue.
>
> The best thing for you to do would be to separate the two LANs. You
> probably don't need to change any cabling because most server network cards
> let you set a default VLAN to use. (If you have Windows servers, you either
> need a managed switch or network cards with drivers that support setting a
> VLAN. For Linux servers, this should because doable with any network card.
> Most server-grade network cards have support for setting a VLAN from the
> Properties screen of the adapter in Device Manager.)
>
> Moshe
>
> On Mar 29, 2017 6:55 AM, "Claudio M."  wrote:
>
>
You can do two different subnets on one network, but it is not the way to
do things.  Everyone can imagine the issues but it would also be completely
insecure.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Migration from an old linux firewall

2017-03-29 Thread Moshe Katz 
I'm not entirely sure how you had this working with your old firewall - I
would think it would have the same issue.

The best thing for you to do would be to separate the two LANs. You
probably don't need to change any cabling because most server network cards
let you set a default VLAN to use. (If you have Windows servers, you either
need a managed switch or network cards with drivers that support setting a
VLAN. For Linux servers, this should because doable with any network card.
Most server-grade network cards have support for setting a VLAN from the
Properties screen of the adapter in Device Manager.)

Moshe

On Mar 29, 2017 6:55 AM, "Claudio M."  wrote:

> Hi
> I've migrated a linux firewall to a 2.3.3-RELEASE-p1 pfsense.
> The old configuration was with 2 interfaces connected to adsl routers and
> an
> interface for the lan. Was configurated also a GRE VPN with an alias IP on
> this
> LAN network so on the same LAN  coexisted two networks
> 192.168.1.0/24
> 10.7.13.0/24
> where the first was for all desktop clients and the seconds for the
> servers. A
> server have a interface on the LAN with Ip 10.7.13.1 and a alias on the
> same
> interface with 192.168.1.6.
> When a client is connect to this server, sends packets to the firewall and
> the
> firewall resends  that to the destination server. The server receive this
> packets and reply using the same interface but contact directly the client
> with IP on the same net. Before with linux this was not a problem but with
> pfsense, a statefull firewall, this is not more possible. Now i've an
> asymmetric routing without a routing so I cannot use the tips present at
> this
> page https://doc.pfsense.org/index.php/Asymmetric_Routing_and_
> Firewall_Rules
>
> How can I to do?
>
> Best regards
> Claudio M.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Migration from an old linux firewall

2017-03-29 Thread WebDawg 
On Wed, Mar 29, 2017 at 5:55 AM, Claudio M.  wrote:

> Hi
> I've migrated a linux firewall to a 2.3.3-RELEASE-p1 pfsense.
> The old configuration was with 2 interfaces connected to adsl routers and
> an
> interface for the lan. Was configurated also a GRE VPN with an alias IP on
> this
> LAN network so on the same LAN  coexisted two networks
> 192.168.1.0/24
> 10.7.13.0/24
> where the first was for all desktop clients and the seconds for the
> servers. A
> server have a interface on the LAN with Ip 10.7.13.1 and a alias on the
> same
> interface with 192.168.1.6.
> When a client is connect to this server, sends packets to the firewall and
> the
> firewall resends  that to the destination server. The server receive this
> packets and reply using the same interface but contact directly the client
> with IP on the same net. Before with linux this was not a problem but with
> pfsense, a statefull firewall, this is not more possible. Now i've an
> asymmetric routing without a routing so I cannot use the tips present at
> this
> page https://doc.pfsense.org/index.php/Asymmetric_Routing_and_
> Firewall_Rules
>
> How can I to do?
>
> Best regards
> Claudio M.
> ___



You had two different networks on one ethernet lan?
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Migration from an old linux firewall

2017-03-29 Thread Eero Volotinen 
How about using vlan tagging?

Eero

2017-03-29 13:55 GMT+03:00 Claudio M. :

> Hi
> I've migrated a linux firewall to a 2.3.3-RELEASE-p1 pfsense.
> The old configuration was with 2 interfaces connected to adsl routers and
> an
> interface for the lan. Was configurated also a GRE VPN with an alias IP on
> this
> LAN network so on the same LAN  coexisted two networks
> 192.168.1.0/24
> 10.7.13.0/24
> where the first was for all desktop clients and the seconds for the
> servers. A
> server have a interface on the LAN with Ip 10.7.13.1 and a alias on the
> same
> interface with 192.168.1.6.
> When a client is connect to this server, sends packets to the firewall and
> the
> firewall resends  that to the destination server. The server receive this
> packets and reply using the same interface but contact directly the client
> with IP on the same net. Before with linux this was not a problem but with
> pfsense, a statefull firewall, this is not more possible. Now i've an
> asymmetric routing without a routing so I cannot use the tips present at
> this
> page https://doc.pfsense.org/index.php/Asymmetric_Routing_and_
> Firewall_Rules
>
> How can I to do?
>
> Best regards
> Claudio M.
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Migration from an old linux firewall

2017-03-29 Thread Claudio M. 
Hi
I've migrated a linux firewall to a 2.3.3-RELEASE-p1 pfsense.
The old configuration was with 2 interfaces connected to adsl routers and an 
interface for the lan. Was configurated also a GRE VPN with an alias IP on this 
LAN network so on the same LAN  coexisted two networks
192.168.1.0/24
10.7.13.0/24
where the first was for all desktop clients and the seconds for the servers. A 
server have a interface on the LAN with Ip 10.7.13.1 and a alias on the same 
interface with 192.168.1.6.
When a client is connect to this server, sends packets to the firewall and the 
firewall resends  that to the destination server. The server receive this 
packets and reply using the same interface but contact directly the client 
with IP on the same net. Before with linux this was not a problem but with 
pfsense, a statefull firewall, this is not more possible. Now i've an 
asymmetric routing without a routing so I cannot use the tips present at this 
page https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

How can I to do?

Best regards
Claudio M.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold