subject:"\[pfSense\] Dual IP nets over one ethernet connector"

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Adam Thompson

Then don't use pfSense - that's simple.
Like I said in a previous email, feel free to do this with your choice of OS.
PfSense doesn't give you quite enough rope to do what you want.
-Adam

On August 16, 2014 11:09:20 PM CDT, Bob Gustafson  wrote:
>I don't need the firewall features of pfsense in my application. The 
>firewall is 'upstream' of the pfsense box - in the ISP furnished 
>modem/router.
>
>Please re-think your suggestions - with the pfsense firewall function 
>out of the picture.
>
>Bob G
>
>On 08/16/2014 03:37 PM, Espen Johansen wrote:
>>
>> Nat traversal is trivial. Firewalling needs physical interfaces.
>Vlans 
>> are possible but vlan jumping is also possible. Vlans to do different
>
>> zones (lan/wan lan/dmz dmz/wan) is not something I recommend as vlan 
>> jumping can be done in most environments. In short. Forget an idea 
>> where you firewall with a single interface. Even if this is only to 
>> play with at home. Just dont. A vanilla linux/bsd will let you shoot 
>> yourself in the foot. So you can do it there. But there are no 
>> firewalls that will allow this with out 2 interfaces. Most require 2 
>> physical, but some will allow for 2 or more vlans. Again, do not do
>it.
>>
>> 16. aug. 2014 22:13 skrev "Adam Thompson" > > følgende:
>>
>> On 14-08-16 01:13 PM, Espen Johansen wrote:
>>>
>>> You would have to do a major code rewrite to get this done.  And
>>> it would be insecure and it would make no pf sense :-) this is
>>> network basics. You dont seem to understand some network
>>> fundamentals. Sorry but this is not doable without using vlans
>or
>>> 2 physical interfaces.
>>>
>>> 16. aug. 2014 20:06 skrev "Bob Gustafson" >> > følgende:
>>>
>>> I'm interested in doing it all within the Alix using
>pfsense.
>>> A minimum hardware approach.
>>>
>>> Think of my WAN mentioned below as the LAN network created
>by
>>> the modem/router furnished by the ISP and the LAN mentioned
>>> below as devices also connected to the back end of the
>>> modem/router, but not accessible by the modem/router. Only
>by
>>> LAN/pfsense.
>>>
>>> Bob G

 I would like to pass WAN packets (192.168.1.0/24
 ) and LAN packets
>(192.168.2.0/24
 ) through the same connector.

 pfsense would provide the NAT and firewalling within
>the
 box.

>>
>> To clarify Espen's comments : yes, it is possible to run two
>> subnets on the same wire.
>> Any _router_ can route between two subnets on the same wire (or
>> the same VLAN, same thing - technically the same "broadcast
>domain").
>> A _firewall_, however, will refuse to do so because it's
>> nonsensical from a security perspective.
>> So pfSense is a router, yes, but it is also a firewall, and in
>> areas where those two roles conflict, the firewall role wins.
>> As previously pointed out, you can't usefully use pf(4) in the
>> circumstance you describe.
>> It is technically possible, on some platforms, to perform NAT
>> between the two subnets.  It would be possible, AFAIK, to
>manually
>> craft a pf rule that does this; it is not possible to get the
>> pfSense GUI to generate that rule. That's where the "major code
>> rewrite" comes into play.
>>
>> I'm not aware of any firewall GUI that will let you do this - and
>> for a good reason!  By hooking your LAN up directly to the WAN,
>> you're effectively eliminating 99% of the security a firewall
>> gives you.  (And, yes, it is possible to directly attack private
>> IP addresses on most ISPs.)
>>
>> If you're determined to deploy this model, you'll have to run a
>> bare OS that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and
>> configure the networking stack and NAT rules by hand.
>>
>> -- 
>> -Adam Thompson
>>   athom...@athompso.net  
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org 
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>>
>>
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>
>
>
>
>
>___
>List mailing list
>List@lists.pfsense.org
>https://lists.pfsense.org/mailman/listinfo/list

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Bob Gustafson

I don't need the firewall features of pfsense in my application. The 
firewall is 'upstream' of the pfsense box - in the ISP furnished 
modem/router.


Please re-think your suggestions - with the pfsense firewall function 
out of the picture.


Bob G

On 08/16/2014 03:37 PM, Espen Johansen wrote:


Nat traversal is trivial. Firewalling needs physical interfaces. Vlans 
are possible but vlan jumping is also possible. Vlans to do different 
zones (lan/wan lan/dmz dmz/wan) is not something I recommend as vlan 
jumping can be done in most environments. In short. Forget an idea 
where you firewall with a single interface. Even if this is only to 
play with at home. Just dont. A vanilla linux/bsd will let you shoot 
yourself in the foot. So you can do it there. But there are no 
firewalls that will allow this with out 2 interfaces. Most require 2 
physical, but some will allow for 2 or more vlans. Again, do not do it.


16. aug. 2014 22:13 skrev "Adam Thompson" > følgende:


On 14-08-16 01:13 PM, Espen Johansen wrote:


You would have to do a major code rewrite to get this done.  And
it would be insecure and it would make no pf sense :-) this is
network basics. You dont seem to understand some network
fundamentals. Sorry but this is not doable without using vlans or
2 physical interfaces.

16. aug. 2014 20:06 skrev "Bob Gustafson" mailto:bob...@rcn.com>> følgende:

I'm interested in doing it all within the Alix using pfsense.
A minimum hardware approach.

Think of my WAN mentioned below as the LAN network created by
the modem/router furnished by the ISP and the LAN mentioned
below as devices also connected to the back end of the
modem/router, but not accessible by the modem/router. Only by
LAN/pfsense.

Bob G


I would like to pass WAN packets (192.168.1.0/24
) and LAN packets (192.168.2.0/24
) through the same connector.

pfsense would provide the NAT and firewalling within the
box.



To clarify Espen's comments : yes, it is possible to run two
subnets on the same wire.
Any _router_ can route between two subnets on the same wire (or
the same VLAN, same thing - technically the same "broadcast domain").
A _firewall_, however, will refuse to do so because it's
nonsensical from a security perspective.
So pfSense is a router, yes, but it is also a firewall, and in
areas where those two roles conflict, the firewall role wins.
As previously pointed out, you can't usefully use pf(4) in the
circumstance you describe.
It is technically possible, on some platforms, to perform NAT
between the two subnets.  It would be possible, AFAIK, to manually
craft a pf rule that does this; it is not possible to get the
pfSense GUI to generate that rule. That's where the "major code
rewrite" comes into play.

I'm not aware of any firewall GUI that will let you do this - and
for a good reason!  By hooking your LAN up directly to the WAN,
you're effectively eliminating 99% of the security a firewall
gives you.  (And, yes, it is possible to directly attack private
IP addresses on most ISPs.)

If you're determined to deploy this model, you'll have to run a
bare OS that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and
configure the networking stack and NAT rules by hand.

-- 
-Adam Thompson

  athom...@athompso.net  


___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Bob Gustafson


Do you have any reason why?

On 08/16/2014 01:07 PM, Espen Johansen wrote:


Not doable in a sensible way.

16. aug. 2014 20:06 skrev "Bob Gustafson" > følgende:


I'm interested in doing it all within the Alix using pfsense. A
minimum hardware approach.

Think of my WAN mentioned below as the LAN network created by the
modem/router furnished by the ISP and the LAN mentioned below as
devices also connected to the back end of the modem/router, but
not accessible by the modem/router. Only by LAN/pfsense.

Bob G

On 08/16/2014 12:53 PM, Oliver Hansen wrote:


I would think it's pretty simple if you have a vlan capable
switch. Just connect the router to the switch on a trunk port and
other devices off of the switch on specific vlans.

On Aug 16, 2014 10:48 AM, "Bob Gustafson" mailto:bob...@rcn.com>> wrote:

I have a small Alix board with only one Ethernet connector.

It would be nice to pass packets from two different networks
through that one Ethernet connector.

I know it is possible, I'm just wondering whether pfsense can
do it and whether anyone has some recipes for implementation.

I would like to pass WAN packets (192.168.1.0/24
) and LAN packets (192.168.2.0/24
) through the same connector.

pfsense would provide the NAT and firewalling within the box.

Has anyone any experience with this?

Bob G
___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org  
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Espen Johansen

Nat traversal is trivial. Firewalling needs physical interfaces. Vlans are
possible but vlan jumping is also possible. Vlans to do different zones
(lan/wan lan/dmz dmz/wan) is not something I recommend as vlan jumping can
be done in most environments. In short. Forget an idea where you firewall
with a single interface. Even if this is only to play with at home. Just
dont. A vanilla linux/bsd will let you shoot yourself in the foot. So you
can do it there. But there are no firewalls that will allow this with out 2
interfaces. Most require 2 physical, but some will allow for 2 or more
vlans. Again, do not do it.
16. aug. 2014 22:13 skrev "Adam Thompson"  følgende:

>  On 14-08-16 01:13 PM, Espen Johansen wrote:
>
> You would have to do a major code rewrite to get this done.  And it would
> be insecure and it would make no pf sense :-) this is network basics. You
> dont seem to understand some network fundamentals. Sorry but this is not
> doable without using vlans or 2 physical interfaces.
> 16. aug. 2014 20:06 skrev "Bob Gustafson"  følgende:
>
>>  I'm interested in doing it all within the Alix using pfsense. A minimum
>> hardware approach.
>>
>> Think of my WAN mentioned below as the LAN network created by the
>> modem/router furnished by the ISP and the LAN mentioned below as devices
>> also connected to the back end of the modem/router, but not accessible by
>> the modem/router. Only by LAN/pfsense.
>>
>> Bob G
>>
>>  I would like to pass WAN packets (192.168.1.0/24) and LAN packets (
>>> 192.168.2.0/24) through the same connector.
>>>
>>> pfsense would provide the NAT and firewalling within the box.
>>>
>>
> To clarify Espen's comments : yes, it is possible to run two subnets on
> the same wire.
> Any _router_ can route between two subnets on the same wire (or the same
> VLAN, same thing - technically the same "broadcast domain").
> A _firewall_, however, will refuse to do so because it's nonsensical from
> a security perspective.
> So pfSense is a router, yes, but it is also a firewall, and in areas where
> those two roles conflict, the firewall role wins.
> As previously pointed out, you can't usefully use pf(4) in the
> circumstance you describe.
> It is technically possible, on some platforms, to perform NAT between the
> two subnets.  It would be possible, AFAIK, to manually craft a pf rule that
> does this; it is not possible to get the pfSense GUI to generate that
> rule.  That's where the "major code rewrite" comes into play.
>
> I'm not aware of any firewall GUI that will let you do this - and for a
> good reason!  By hooking your LAN up directly to the WAN, you're
> effectively eliminating 99% of the security a firewall gives you.  (And,
> yes, it is possible to directly attack private IP addresses on most ISPs.)
>
> If you're determined to deploy this model, you'll have to run a bare OS
> that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and configure the
> networking stack and NAT rules by hand.
>
> --
> -Adam Thompson
>  athom...@athompso.net
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Adam Thompson


On 14-08-16 01:13 PM, Espen Johansen wrote:


You would have to do a major code rewrite to get this done.  And it 
would be insecure and it would make no pf sense :-) this is network 
basics. You dont seem to understand some network fundamentals. Sorry 
but this is not doable without using vlans or 2 physical interfaces.


16. aug. 2014 20:06 skrev "Bob Gustafson" > følgende:


I'm interested in doing it all within the Alix using pfsense. A
minimum hardware approach.

Think of my WAN mentioned below as the LAN network created by the
modem/router furnished by the ISP and the LAN mentioned below as
devices also connected to the back end of the modem/router, but
not accessible by the modem/router. Only by LAN/pfsense.

Bob G


I would like to pass WAN packets (192.168.1.0/24
) and LAN packets (192.168.2.0/24
) through the same connector.

pfsense would provide the NAT and firewalling within the box.



To clarify Espen's comments : yes, it is possible to run two subnets on 
the same wire.
Any _router_ can route between two subnets on the same wire (or the same 
VLAN, same thing - technically the same "broadcast domain").
A _firewall_, however, will refuse to do so because it's nonsensical 
from a security perspective.
So pfSense is a router, yes, but it is also a firewall, and in areas 
where those two roles conflict, the firewall role wins.
As previously pointed out, you can't usefully use pf(4) in the 
circumstance you describe.
It is technically possible, on some platforms, to perform NAT between 
the two subnets.  It would be possible, AFAIK, to manually craft a pf 
rule that does this; it is not possible to get the pfSense GUI to 
generate that rule.  That's where the "major code rewrite" comes into play.


I'm not aware of any firewall GUI that will let you do this - and for a 
good reason!  By hooking your LAN up directly to the WAN, you're 
effectively eliminating 99% of the security a firewall gives you.  (And, 
yes, it is possible to directly attack private IP addresses on most ISPs.)


If you're determined to deploy this model, you'll have to run a bare OS 
that can route, i.e. Linux, OpenBSD, FreeBSD, etc. and configure the 
networking stack and NAT rules by hand.


--
-Adam Thompson
 athom...@athompso.net

___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Espen Johansen

You would have to do a major code rewrite to get this done.  And it would
be insecure and it would make no pf sense :-) this is network basics. You
dont seem to understand some network fundamentals. Sorry but this is not
doable without using vlans or 2 physical interfaces.
16. aug. 2014 20:06 skrev "Bob Gustafson"  følgende:

>  I'm interested in doing it all within the Alix using pfsense. A minimum
> hardware approach.
>
> Think of my WAN mentioned below as the LAN network created by the
> modem/router furnished by the ISP and the LAN mentioned below as devices
> also connected to the back end of the modem/router, but not accessible by
> the modem/router. Only by LAN/pfsense.
>
> Bob G
>
> On 08/16/2014 12:53 PM, Oliver Hansen wrote:
>
> I would think it's pretty simple if you have a vlan capable switch. Just
> connect the router to the switch on a trunk port and other devices off of
> the switch on specific vlans.
> On Aug 16, 2014 10:48 AM, "Bob Gustafson"  wrote:
>
>> I have a small Alix board with only one Ethernet connector.
>>
>> It would be nice to pass packets from two different networks through that
>> one Ethernet connector.
>>
>> I know it is possible, I'm just wondering whether pfsense can do it and
>> whether anyone has some recipes for implementation.
>>
>> I would like to pass WAN packets (192.168.1.0/24) and LAN packets (
>> 192.168.2.0/24) through the same connector.
>>
>> pfsense would provide the NAT and firewalling within the box.
>>
>> Has anyone any experience with this?
>>
>> Bob G
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Espen Johansen

Not doable in a sensible way.
16. aug. 2014 20:06 skrev "Bob Gustafson"  følgende:

>  I'm interested in doing it all within the Alix using pfsense. A minimum
> hardware approach.
>
> Think of my WAN mentioned below as the LAN network created by the
> modem/router furnished by the ISP and the LAN mentioned below as devices
> also connected to the back end of the modem/router, but not accessible by
> the modem/router. Only by LAN/pfsense.
>
> Bob G
>
> On 08/16/2014 12:53 PM, Oliver Hansen wrote:
>
> I would think it's pretty simple if you have a vlan capable switch. Just
> connect the router to the switch on a trunk port and other devices off of
> the switch on specific vlans.
> On Aug 16, 2014 10:48 AM, "Bob Gustafson"  wrote:
>
>> I have a small Alix board with only one Ethernet connector.
>>
>> It would be nice to pass packets from two different networks through that
>> one Ethernet connector.
>>
>> I know it is possible, I'm just wondering whether pfsense can do it and
>> whether anyone has some recipes for implementation.
>>
>> I would like to pass WAN packets (192.168.1.0/24) and LAN packets (
>> 192.168.2.0/24) through the same connector.
>>
>> pfsense would provide the NAT and firewalling within the box.
>>
>> Has anyone any experience with this?
>>
>> Bob G
>> ___
>> List mailing list
>> List@lists.pfsense.org
>> https://lists.pfsense.org/mailman/listinfo/list
>>
>
>
> ___
> List mailing 
> listList@lists.pfsense.orghttps://lists.pfsense.org/mailman/listinfo/list
>
>
>
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Bob Gustafson

I'm interested in doing it all within the Alix using pfsense. A minimum 
hardware approach.


Think of my WAN mentioned below as the LAN network created by the 
modem/router furnished by the ISP and the LAN mentioned below as devices 
also connected to the back end of the modem/router, but not accessible 
by the modem/router. Only by LAN/pfsense.


Bob G

On 08/16/2014 12:53 PM, Oliver Hansen wrote:


I would think it's pretty simple if you have a vlan capable switch. 
Just connect the router to the switch on a trunk port and other 
devices off of the switch on specific vlans.


On Aug 16, 2014 10:48 AM, "Bob Gustafson" > wrote:


I have a small Alix board with only one Ethernet connector.

It would be nice to pass packets from two different networks
through that one Ethernet connector.

I know it is possible, I'm just wondering whether pfsense can do
it and whether anyone has some recipes for implementation.

I would like to pass WAN packets (192.168.1.0/24
) and LAN packets (192.168.2.0/24
) through the same connector.

pfsense would provide the NAT and firewalling within the box.

Has anyone any experience with this?

Bob G
___
List mailing list
List@lists.pfsense.org 
https://lists.pfsense.org/mailman/listinfo/list



___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list


___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Espen Johansen

If you have a vlan capable switch (most managed switches can do this) then
you can split one interface into several virtuals. Pfsense supports this.
If not, a USB ethernet interface would be an option.
16. aug. 2014 19:48 skrev "Bob Gustafson"  følgende:

> I have a small Alix board with only one Ethernet connector.
>
> It would be nice to pass packets from two different networks through that
> one Ethernet connector.
>
> I know it is possible, I'm just wondering whether pfsense can do it and
> whether anyone has some recipes for implementation.
>
> I would like to pass WAN packets (192.168.1.0/24) and LAN packets (
> 192.168.2.0/24) through the same connector.
>
> pfsense would provide the NAT and firewalling within the box.
>
> Has anyone any experience with this?
>
> Bob G
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Oliver Hansen

I would think it's pretty simple if you have a vlan capable switch. Just
connect the router to the switch on a trunk port and other devices off of
the switch on specific vlans.
On Aug 16, 2014 10:48 AM, "Bob Gustafson"  wrote:

> I have a small Alix board with only one Ethernet connector.
>
> It would be nice to pass packets from two different networks through that
> one Ethernet connector.
>
> I know it is possible, I'm just wondering whether pfsense can do it and
> whether anyone has some recipes for implementation.
>
> I would like to pass WAN packets (192.168.1.0/24) and LAN packets (
> 192.168.2.0/24) through the same connector.
>
> pfsense would provide the NAT and firewalling within the box.
>
> Has anyone any experience with this?
>
> Bob G
> ___
> List mailing list
> List@lists.pfsense.org
> https://lists.pfsense.org/mailman/listinfo/list
>
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

[pfSense] Dual IP nets over one ethernet connector

2014-08-16 Thread Bob Gustafson


I have a small Alix board with only one Ethernet connector.

It would be nice to pass packets from two different networks through 
that one Ethernet connector.


I know it is possible, I'm just wondering whether pfsense can do it and 
whether anyone has some recipes for implementation.


I would like to pass WAN packets (192.168.1.0/24) and LAN packets 
(192.168.2.0/24) through the same connector.


pfsense would provide the NAT and firewalling within the box.

Has anyone any experience with this?

Bob G
___
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Dual IP nets over one ethernet connector

Re: [pfSense] Dual IP nets over one ethernet connector

Re: [pfSense] Dual IP nets over one ethernet connector

Re: [pfSense] Dual IP nets over one ethernet connector

Re: [pfSense] Dual IP nets over one ethernet connector

Re: [pfSense] Dual IP nets over one ethernet connector

Re: [pfSense] Dual IP nets over one ethernet connector

Re: [pfSense] Dual IP nets over one ethernet connector

Re: [pfSense] Dual IP nets over one ethernet connector

Re: [pfSense] Dual IP nets over one ethernet connector

[pfSense] Dual IP nets over one ethernet connector

11 matches

Site Navigation

Mail list logo

Footer information