Re: [pfSense] Design Best Practice Question

2015-03-08 Thread Justin The Cynical
On 08/03/2015 05:32, Tim Hogan wrote: > Yes, this is a Comcast Business account. After this discussion I have > decided to switch to a 1:1 NAT layout. > > Since you have mentioned that you also have a Comcast Business account I > was wondering if you also have IPv6 working through pfSense with th

Re: [pfSense] Design Best Practice Question

2015-03-08 Thread Tim Hogan
Yes, this is a Comcast Business account. After this discussion I have decided to switch to a 1:1 NAT layout. Since you have mentioned that you also have a Comcast Business account I was wondering if you also have IPv6 working through pfSense with the way Comcast attaches everything to the mod

Re: [pfSense] Design Best Practice Question

2015-03-07 Thread Justin The Cynical
On 06/03/2015 13:16, Tim Hogan wrote: > I am looking for some advice from the group about the best way to put > pfSense in my environment so that it can filter all traffic. The cable > provider that I use has given me a /29 of static IP address and one of > those addresses is assigned to the cable

Re: [pfSense] Design Best Practice Question

2015-03-07 Thread Volker Kuhlmann
On Sun 08 Mar 2015 02:44:45 NZDT +1300, Tim Hogan wrote: > I like your idea with using 1:1 NAT but just one question; If you > use SSL with the certificate on the web server, will the 1:1 NAT > mess with that? No. Volker -- Volker Kuhlmann is list0570 with the domain in header.

Re: [pfSense] Design Best Practice Question

2015-03-07 Thread ED Fochler
On the subject of bridging vs routing for firewall: If you require layer 3 to get to your guarded hosts, then you only have to think about rules in layer 3. If you bridge, then you may have to think about arp spoofing, multicast, IPX, etc. So if you’re bridging, you may be presenting a much l

Re: [pfSense] Design Best Practice Question

2015-03-07 Thread ED Fochler
Set your servername in apache/whatever, you’re all good. The servername needs to match the cert, the IP doesn’t matter and shouldn’t be handed out anywhere. > On 2015, Mar 7, at 8:44 AM, Tim Hogan wrote: > > Ed, > > I like your idea with using 1:1 NAT but just one question; If you use SSL >

Re: [pfSense] Design Best Practice Question

2015-03-07 Thread Tim Hogan
Ed, I like your idea with using 1:1 NAT but just one question; If you use SSL with the certificate on the web server, will the 1:1 NAT mess with that? Regards, Tim On 3/6/2015 9:52 PM, ED Fochler wrote: Bridging will disable firewall and DHCP on modem, this should be expected. If it works,

Re: [pfSense] Design Best Practice Question

2015-03-07 Thread Tim Hogan
Yes, I guess I want to know if the bridge is set up correctly when one of the interfaces in the bridge has an IP address that is being used for the NAT address for my internal LAN. Regards, Tim On 3/6/2015 3:07 PM, WebDawg wrote: On Fri, Mar 6, 2015 at 2:16 PM, Tim Hogan

Re: [pfSense] Design Best Practice Question

2015-03-06 Thread ED Fochler
Bridging will disable firewall and DHCP on modem, this should be expected. If it works, then you’re using it just fine. I have my DMZ hosts like that on a separate network on OPT1 with their own IP range and 1:1 nat rules. It feels more segregated that way to me than the bridging firewall scen

Re: [pfSense] Design Best Practice Question

2015-03-06 Thread WebDawg
On Fri, Mar 6, 2015 at 2:16 PM, Tim Hogan wrote: > I am looking for some advice from the group about the best way to put > pfSense in my environment so that it can filter all traffic. The cable > provider that I use has given me a /29 of static IP address and one of > those addresses is assigned

[pfSense] Design Best Practice Question

2015-03-06 Thread Tim Hogan
I am looking for some advice from the group about the best way to put pfSense in my environment so that it can filter all traffic. The cable provider that I use has given me a /29 of static IP address and one of those addresses is assigned to the cable modem. When I asked about putting the mode