Re: [pfSense] pfSense help with creating rules
On Fri, Feb 10, 2012 at 6:34 AM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Well, if you want to get technical, the minimum possible subnet in IPv4 over Ethernet is actually a /31. $employer uses these religiously in PtP Ethernet links, and they work flawlessly. Unfortunately, *BSD doesn't seem to implement RFC3021, which is really a pity, because it means all my firewalls use twice as many IPs as necessary on their uplinks. http://tools.ietf.org/html/rfc3021 FreeBSD 9 supports RFC3021 (http://svnweb.freebsd.org/base?view=revisionrevision=226572). -- .warren ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
- Original Message - From: Nathan Eisenberg nat...@atlasnetworks.us To: athom...@athompso.net, pfSense support and discussion list@lists.pfsense.org Sent: Friday, February 10, 2012 2:56:36 AM Subject: Re: [pfSense] pfSense help with creating rules I think the entire ISP operation I partly run has... three routers that support it, AFAIK. So for all practical intents and purposes, that doesn't exist for me. It would be nice, most definitely, if it were supported by more equipment, but it's just not (in my corner of the world, anyway). So yes, for equipment that supports it, you're right - a /31 is the smallest IPv4-over-ethernet subnet. (There's also a philosophical point of whether Ethernet can ever truly be a PtP media even when physically connected PtP...) My Cisco 6509s/7204s/3550/3560/linux boxes support it just fine (philosophy aside, it *works* over ethernet, even in a test case when 'PtP' really meant 'these are the only two ports in the VLAN'). Anything I own with an ARM chip (Mikrotik, Ubiquiti, or general embedded hardware) in it, and my PFsense boxen, don't support it at all. Very sad - some days, it almost makes me want to roll a bunch of iptables boxes and reclaim a ton of usable IP space. Almost. :) Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. Nathan Eisenberg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Comcast allocated a /30 for my WAN interface and a /28 for my network use. They are in different class C address spaces. Gordon Russell Clarke County IT ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
- Original Message - From: Nathan Eisenberg nat...@atlasnetworks.us To: athom...@athompso.net, pfSense support and discussion list@lists.pfsense.org Sent: Friday, February 10, 2012 2:56:36 AM Subject: Re: [pfSense] pfSense help with creating rules I think the entire ISP operation I partly run has... three routers that support it, AFAIK. So for all practical intents and purposes, that doesn't exist for me. It would be nice, most definitely, if it were supported by more equipment, but it's just not (in my corner of the world, anyway). So yes, for equipment that supports it, you're right - a /31 is the smallest IPv4-over-ethernet subnet. (There's also a philosophical point of whether Ethernet can ever truly be a PtP media even when physically connected PtP...) My Cisco 6509s/7204s/3550/3560/linux boxes support it just fine (philosophy aside, it *works* over ethernet, even in a test case when 'PtP' really meant 'these are the only two ports in the VLAN'). Anything I own with an ARM chip (Mikrotik, Ubiquiti, or general embedded hardware) in it, and my PFsense boxen, don't support it at all. Very sad - some days, it almost makes me want to roll a bunch of iptables boxes and reclaim a ton of usable IP space. Almost. :) Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. Nathan Eisenberg Comcast allocated a /30 for my WAN interface and a /28 for my network use. They are in different class C address spaces. Gordon Russell Clarke County IT I understand what you are trying to accomplish I think. Just as a stupid thought, could you simply setup virtual IP's for the addresses you are trying to use and setup 1:1 Nat and forward them to the internal servers. I understand this means you will have to use nat. You may be trying to avoid this, but it seems like a much easier solution. It also seems more flexible. Hope this helps, Ryan __ Information from ESET NOD32 Antivirus, version of virus signature database 6874 (20120210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi Nathan, Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 I have trouble ticket in as well as an e-mail to my sales rep who works directly for their head of Operations, so I am hoping brining in the big brass will help me get this going today. On the other hand, I explored Sonic.net and they are willing to run a 3/3Mbps symmetrical ethernet service with free setup and a free Cisco 2600, 16 IP's and they said yes to a routed subnet /30 no problem, no additional charge. But I am confused. Can anyone explain to me which is really a better deal? Comcast 50 x 10 for $169/mo or Snnic.net 3/3mbps $274/mo I get that Comcast is faster, but it is shared traffic, right? Where this 3/3mbps would be all dedicated to me? I still dont understand a real world speed comparison though. Can anyone explain a bit about measuring traffic? We are an NPO, we create datasets and allow users to crawl the web for topics of interest and we work that data for them. We are going live here soon. If anyone wants more details about what we do and how we are going to do it and the hardware we are thinking about, ask. I'd love to chat. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi, On Fri, Feb 10, 2012 at 11:00 AM, Jason T. Slack-Moehrle slackmoeh...@gmail.com (mailto:slackmoeh...@gmail.com) wrote: I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 Comcast has routed that /29 to your cable modem, and made those IPs visible to you on the inside. They are not routing the /29 to your pfSense box, else the fpSense box would have to have its own very own IP address outside of that /29, and that'd be a total waste of address space the IP for your firewall would need to be a /29 to route them to you anyway (at least if you had any redundancy, such as a CARPed pair of firewalls.) Yes, so it still stands that I need to have them create a /30 for me and route my /29 to the /30, put the /30 on my pfSense WAN port and the /29 on my DMZ….. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
- Original Message - From: Jason T. Slack-Moehrle slackmoeh...@gmail.com Hi, On Fri, Feb 10, 2012 at 11:00 AM, Jason T. Slack-Moehrle slackmoeh...@gmail.com (mailto:slackmoeh...@gmail.com) wrote: I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 Comcast has routed that /29 to your cable modem, and made those IPs visible to you on the inside. They are not routing the /29 to your pfSense box, else the fpSense box would have to have its own very own IP address outside of that /29, and that'd be a total waste of address space the IP for your firewall would need to be a /29 to route them to you anyway (at least if you had any redundancy, such as a CARPed pair of firewalls.) Yes, so it still stands that I need to have them create a /30 for me and route my /29 to the /30, put the /30 on my pfSense WAN port and the /29 on my DMZ….. I've deleted all the previous messages, so perhaps I'm missing something... but why not just use proxy arp and NAT, keep the /29 on the WAN, and have your DMZ et al use reserved private IPs? Comcast may be unwilling to waste a /30 for your WAN, even if you're willing to pay. Regards, Adrian ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
From: list-boun...@lists.pfsense.org [mailto:list-boun...@lists.pfsense.org] On Behalf Of Jason T. Slack-Moehrle Sent: Friday, February 10, 2012 10:00 AM To: pfSense support and discussion Subject: Re: [pfSense] pfSense help with creating rules Hi Nathan, Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 I have trouble ticket in as well as an e-mail to my sales rep who works directly for their head of Operations, so I am hoping brining in the big brass will help me get this going today. On the other hand, I explored Sonic.net and they are willing to run a 3/3Mbps symmetrical ethernet service with free setup and a free Cisco 2600, 16 IP's and they said yes to a routed subnet /30 no problem, no additional charge. But I am confused. Can anyone explain to me which is really a better deal? Comcast 50 x 10 for $169/mo or Snnic.net 3/3mbps $274/mo I get that Comcast is faster, but it is shared traffic, right? Where this 3/3mbps would be all dedicated to me? I still dont understand a real world speed comparison though. Can anyone explain a bit about measuring traffic? We are an NPO, we create datasets and allow users to crawl the web for topics of interest and we work that data for them. We are going live here soon. If anyone wants more details about what we do and how we are going to do it and the hardware we are thinking about, ask. I'd love to chat. -Jason Comcast is faster, but is not dedicated. You should always get the same speeds (or reasonable close) with Snnic. You may also have an SLA with Snnic. I am sure you don't have that with Comcast. That said, all use ISP's are shared traffic. It is either shared via the same wire, or with DLS shared at the DSLAM or in all cases shared at the head office. It is very difficult for an ISP with say 1,000 customers at 10megs each to pay for a 10G so they can all have dedicated traffic. This gets worse as the number goes up. ISP's understand that not all users will use the bandwidth at the same time so they have way less than they sell. For instance one service provider here locally has a single OS3 (45Meg) link and offers a 6 meg internet connection. They have a couple of hundred users. 200 x 6 = 1.2 Gigs. Way less than what they have. However, the 45Meg link is very rarely saturated. The better business oriented ISP's will prioritize business customers over residential customers and have a lower ration of what's sold to what's available. I can tell you that Comcast Business in South Louisiana has a very good service and I have never measured less than 10 down and 4 up. This beats your 3/3 hands down. The same may not be able to true in your area as every area is different. Comcast does not however offer to have a routed subnet as you are asking. The provide 5 ip addresses that you can access directly on their modem. You can get 14 address and subnet yourself, but that really waist a lot of IP addresses. You could also setup to Bridge the DMZ and WAN and run a filtered bridge setup. __ Information from ESET NOD32 Antivirus, version of virus signature database 6874 (20120210) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi Ryan, I am a little confused at how I would know if they are handing me a /29 or just 5 IP's? range: 75.xx.xx.25 - .29 subnet: 255.255.255.248 (which is /29, IIRC) GW: 75.xx.xx.30 Comcast is faster, but is not dedicated. You should always get the same speeds (or reasonable close) with Snnic. You may also have an SLA with Snnic. I am sure you don’t have that with Comcast. That said, all use ISP’s are shared traffic. It is either shared via the same wire, or with DLS shared at the DSLAM or in all cases shared at the head office. It is very difficult for an ISP with say 1,000 customers at 10megs each to pay for a 10G so they can all have dedicated traffic. This gets worse as the number goes up. ISP’s understand that not all users will use the bandwidth at the same time so they have way less than they sell. For instance one service provider here locally has a single OS3 (45Meg) link and offers a 6 meg internet connection. They have a couple of hundred users. 200 x 6 = 1.2 Gigs. Way less than what they have. However, the 45Meg link is very rarely saturated. The better business oriented ISP’s will prioritize business customers over residential customers and have a lower ration of what’s sold to what’s available. I can tell you that Comcast Business in South Louisiana has a very good service and I have never measured less than 10 down and 4 up. This beats your 3/3 hands down. The same may not be able to true in your area as every area is different. Comcast does not however offer to have a routed subnet as you are asking. The provide 5 ip addresses that you can access directly on their modem. You can get 14 address and subnet yourself, but that really waist a lot of IP addresses. You could also setup to Bridge the DMZ and WAN and run a filtered bridge setup. Wait, are you saying I could just pay Comcast for 14 addresses and create a routed subnet myself and not have them do it? Or could I just have them create for me a 2nd IP block of 1 IP, load that on the modem with my block of 5 and somehow created a routed subnet from the /31 to my /29 without them? so that pfSense is setup the correct way? Sorry for the confusion! -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Wait, are you saying I could just pay Comcast for 14 addresses and create a routed subnet myself and not have them do it? Or could I just have them create for me a 2nd IP block of 1 IP, load that on the modem with my block of 5 and somehow created a routed subnet from the /31 to my /29 without them? so that pfSense is setup the correct way? Sorry for the confusion! -Jason Actually, that's a very good point - in a broadband network, there is NO requirement whatsoever for the upstream link to be a /30, or even anything vaguely resembling a PtP link. As long as there's a route entered in their routing table pointing to you, there is no waste of IP addresses to accommodate your route. Your router could easily be one of 16k other devices in a subnet, it wouldn't matter. ISPs generally allocate that /30 for manageability and security reasons, but most of those issues don't exist in a HFC network like Comcast's. More realistically, they probably still don't want to be bothered :-). One other posted reported success, however, in getting a routed setup from Comcast, so perhaps your quest isn't futile after all. No, however, you can't quite do what you're talking about - at least not without proxy ARP or bridging, which brings you right back to the original set of suggestions. Comcast's router expects to be able to ARP for all the addresses they're assigning you, and if it can't that address effectively becomes unreachable. Proxy ARP is even more evil than setting up two firewalls, in most cases - it's nearly impossible to troubleshoot if anything goes wrong, and then you still have to do port forwarding or bridging behind that. (Any port forwarding, including pfSense's virtual IP, does something much like proxy ARP, but manageable.) -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
HI, Wait, are you saying I could just pay Comcast for 14 addresses and create a routed subnet myself and not have them do it? Or could I just have them create for me a 2nd IP block of 1 IP, load that on the modem with my block of 5 and somehow created a routed subnet from the /31 to my /29 without them? so that pfSense is setup the correct way? OK, Comcast called me back and they are saying for me to: 1. load my /29 on the WAN port of the pfsense box 2. Create a vlan for something like 10.0.0.x 3. Create a 1:1 NAT for the public IP's in the /29 to a 10.0.0.x 4. Assign my servers a 10.0.0.x address, etc They say they cannot create a routed subnet for me because the modems they use cannot handle loading of multiple IP blocks. Is this viable? -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
On Fri, Feb 10, 2012 at 2:50 PM, Jason T. Slack-Moehrle slackmoeh...@gmail.com wrote: HI, Wait, are you saying I could just pay Comcast for 14 addresses and create a routed subnet myself and not have them do it? Or could I just have them create for me a 2nd IP block of 1 IP, load that on the modem with my block of 5 and somehow created a routed subnet from the /31 to my /29 without them? so that pfSense is setup the correct way? OK, Comcast called me back and they are saying for me to: 1. load my /29 on the WAN port of the pfsense box 2. Create a vlan for something like 10.0.0.x 3. Create a 1:1 NAT for the public IP's in the /29 to a 10.0.0.x 4. Assign my servers a 10.0.0.x address, etc They say they cannot create a routed subnet for me because the modems they use cannot handle loading of multiple IP blocks. Is this viable? -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list At my office, we have a /27 from our Paetec T1 and a /28 from our Verizon FiOS. We created Virtual IPs for alll of the addresses and we are using 1:1 NAT for all of our servers which themselves have private IPs. It works just fine. Moshe -- Moshe Katz -- mo...@ymkatz.net -- +1(301)867-3732 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
-Original Message- From: list-boun...@lists.pfsense.org [mailto:list- boun...@lists.pfsense.org] On Behalf Of Jason T. Slack-Moehrle Sent: Friday, February 10, 2012 1:51 PM To: pfSense support and discussion Subject: Re: [pfSense] pfSense help with creating rules HI, Wait, are you saying I could just pay Comcast for 14 addresses and create a routed subnet myself and not have them do it? Or could I just have them create for me a 2nd IP block of 1 IP, load that on the modem with my block of 5 and somehow created a routed subnet from the /31 to my /29 without them? so that pfSense is setup the correct way? OK, Comcast called me back and they are saying for me to: 1. load my /29 on the WAN port of the pfsense box 2. Create a vlan for something like 10.0.0.x 3. Create a 1:1 NAT for the public IP's in the /29 to a 10.0.0.x 4. Assign my servers a 10.0.0.x address, etc They say they cannot create a routed subnet for me because the modems they use cannot handle loading of multiple IP blocks. Is this viable? -Jason So, as expected, they recommend port forwarding. (1:1 NAT is a special case of port forwarding, or vice-versa depending on how you want to look at it.) The excuse about the modem not handling it is complete BS; what they really mean is we don't have an operational procedure to support this, and we don't feel like developing one, so we'll make up a plausible-sounding technical reason. They'll be using a Cisco uBR7206 at the very minimum to handle HFC routing; it might not be Cisco in your area, or it might not be a uBR platform, but your next-hop router WILL be capable enough to handle a single static route. All the modem has to do is its traditional function of bridging a single MAC address back and forth over the wire. Depending on the modem, they *may* have to turn off some of the IP security features (snooping) in the modem. However, there's nothing that says you have the right to a properly-routed subnet - Comcast has no obligation whatsoever to provide this service to you at any price. It doesn't really matter, as you have two other viable options available to you (NAT and bridging, or both if you want a traditional DMZ). The other thing is - even if you get a routed subnet out of Comcast, do you really want to be the guinea pig in your operating territory? Relying on something where you're the only customer affected if something goes wrong is a good way to garner a lot of needless downtime. If you're using the regular service, and something goes wrong, you'll be back in business as soon as everyone else is - which is usually fairly quickly, because HFC network outages tend to be all-or-nothing events. Standardization would be, IMHO, worth the extra complexity and/or effort. This is the way I set up any firewall on a cable modem nowadays; even DSL providers are starting to adopt this model for small business customers (i.e. /28 or smaller) in some cases. Or, in short: yes, just go with what Comcast wants you to do. You can create a separate DMZ if you want to keep the servers off your LAN, if necessary. It's not usually necessary unless you're running a public website. (Which, BTW, might violate your Comcast Terms of Service - check to be sure. No sense getting shut down by your ISP for something avoidable.) -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi I restarted the pfSense box and noticed that when it rebooted it had: WAN (wan) -- em1 -- 75.xx.xx.28 LAN (lan) -- em3 -- 172.16.254.1 DMZ (opt1) -- em2 -- NONE That is correct, right, since my servers in 75.xx.xx.xx are on the DMZ? Do I have to do anything to tell pfSense it should answer for my IP's? I recall when I ran untangle I had to sell it what IP's to answer for. If you don't have an IP address for opt1 (DMZ), that would mean that you're bridging with WAN? I think you should be routing instead, but I don't know exactly your goals. Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 with a gateway of .30 So I have a few other public IP's on servers that I wanted on a DMZ. Just port 80 actually. So I want traffic on port 80 coming in through WAN getting routed to .27 which is on the DMZ. That way people hit my domain they get that box. So far I am not having luck getting this to work. I certainly have a misunderstanding, I am just not sure what. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 with a gateway of .30 So I have a few other public IP's on servers that I wanted on a DMZ. Just port 80 actually. So I want traffic on port 80 coming in through WAN getting routed to .27 which is on the DMZ. That way people hit my domain they get that box. So far I am not having luck getting this to work. I certainly have a misunderstanding, I am just not sure what. -Jason Ok, so it sounds like your provider handed you a /29. To firewall that behind pfSense, you need them to route that /29 to you over a /30. The /30 goes on the WAN interface, the /29's gateway IP goes on your DMZ interface. You can use bridging mode to work around this, but the right way to do it is with routing as described above. Nathan Eisenberg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 with a gateway of .30 So I have a few other public IP's on servers that I wanted on a DMZ. Just port 80 actually. So I want traffic on port 80 coming in through WAN getting routed to .27 which is on the DMZ. That way people hit my domain they get that box. So far I am not having luck getting this to work. I certainly have a misunderstanding, I am just not sure what. -Jason Ok, so it sounds like your provider handed you a /29. To firewall that behind pfSense, you need them to route that /29 to you over a /30. The /30 goes on the WAN interface, the /29's gateway IP goes on your DMZ interface. You can use bridging mode to work around this, but the right way to do it is with routing as described above. Nathan Eisenberg While I agree with Nathan about which is the right way to do it, the vast majority of ISPs won't have a clue what you're talking about. Or, like most ISPs here, you might find someone who understands, but tells you they simply can't do it (or don't offer that as a product). There's a very high probability you'll be forced to do it the 'wrong' way, at which point you do have more than one option. Port forwarding is a common solution to this problem, more so than bridging in my experience. You bind the entire /29 range of IPs to the public (WAN) interface on your firewall, and use two different private address ranges on your DMZ and your LAN. Set up port-forwarding from the WAN to the DMZ interface, and then use regular firewall rules to regulate traffic between the LAN and the DMZ. One notable downside to this technique is that is pretty much calls for split DNS; if your outside service is known as www.mycompany.com which resolves to (e.g.) 75.0.0.27, which is bound to the WAN and port-forwards to (e.g.) 192.168.200.27 (on the DMZ), you may want to enter an override in pfSense's DNS server so that when LAN clients request the IP for www.mycompany.com they get directed straight to 192.168.100.27 without going through the port forwarding. Or you can just rely on the NAT Reflection feature if you don't want to use split DNS, but that creates some subtle issues with certain applications and protocols. I find that split DNS works best, as long as ALL the systems are pointing to your pfSense box for DNS resolution. (Or to another DNS server, it doesn't matter as long as every system behind the firewall sees the same information.) The alternative is, as Nathan mentioned, bridging, wherein you either set up two firewalls (one in transparent mode, one in NAT mode), or a very complex setup on a single firewall. Note that doing anything other than right solution (routing it properly) will increase the amount of horsepower you need in a firewall, and probably slightly decrease overall throughput. This decrease may be negligible if you're running pfSense on a fast-enough server, and you probably won't be able to notice it anyway if you aren't running gigabit Ethernet speeds. -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
The alternative is, as Nathan mentioned, bridging, wherein you either set up two firewalls (one in transparent mode, one in NAT mode), or a very complex setup on a single firewall. Note that doing anything other than right solution (routing it properly) will increase the amount of horsepower you need in a firewall, and probably slightly decrease overall throughput. This decrease may be negligible if you're running pfSense on a fast-enough server, and you probably won't be able to notice it anyway if you aren't running gigabit Ethernet speeds. can I use at all, the comcast modem that is already acting as a bridge, as my understanding is it allows all traffic for my 5 IP's though.? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
On Thu, Feb 9, 2012 at 1:24 PM, Nathan Eisenberg nat...@atlasnetworks.us wrote: Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 with a gateway of .30 So I have a few other public IP's on servers that I wanted on a DMZ. Just port 80 actually. So I want traffic on port 80 coming in through WAN getting routed to .27 which is on the DMZ. That way people hit my domain they get that box. So far I am not having luck getting this to work. I certainly have a misunderstanding, I am just not sure what. -Jason Ok, so it sounds like your provider handed you a /29. To firewall that behind pfSense, you need them to route that /29 to you over a /30. The /30 goes on the WAN interface, the /29's gateway IP goes on your DMZ interface. OK, so I called Comcast and explained exactly the above about the /29 routed to a /30 and the representative was clueless, so I asked them to open up a ticket and escalate to a tier 2 tech. We shall see what they say. This obviously means that they will create a new block of public IP's for the /30 in addition to the 5 that I already have in the /29. This seems easier to pay them for that then host and deal with more equipment in my location. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
OK, so I called Comcast and explained exactly the above about the /29 routed to a /30 and the representative was clueless, so I asked them to open up a ticket and escalate to a tier 2 tech. We shall see what they say. This obviously means that they will create a new block of public IP's for the /30 in addition to the 5 that I already have in the /29. This seems easier to pay them for that then host and deal with more equipment in my location. Every inter-router link must have at least two IP addresses, one for each router. The smallest possible subnet in IPv4-over-ethernet that can contain two addresses is a /30. What did Comcast tell you to use as the subnet mask for your 5 addresses? If it's anything other 255.255.255.248, you don't have a /29 at all, you just have six individual IPs in a larger subnet that are allocated to you. I'll bet you're merely part of a much larger subnet. In fact, I would recommend just forgetting about the whole notion of using a router properly, with Comcast. (Anyone with differing experience - please let us all know how you managed to get them to do routed IP!) Most MSOs (cable operators) run extremely large subnets (my cable modem at home is running on a /22 subnet!) and use relatively strange L2 (bridging) features to make their networks work. And, speaking as an ISP operator, that does make sense for that kind of technology and the network design it mandates. It does complicate matters for you, however. The upside is that it's much cheaper for Comcast to do it that way than for a traditional ISP to allocate you a router port. This only rarely translates to cheaper service for you - it usually just translates to more profit for Comcast. -Adam Thompson athom...@athompso.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Every inter-router link must have at least two IP addresses, one for each router. The smallest possible subnet in IPv4-over-ethernet that can contain two addresses is a /30. Well, if you want to get technical, the minimum possible subnet in IPv4 over Ethernet is actually a /31. $employer uses these religiously in PtP Ethernet links, and they work flawlessly. Unfortunately, *BSD doesn't seem to implement RFC3021, which is really a pity, because it means all my firewalls use twice as many IPs as necessary on their uplinks. http://tools.ietf.org/html/rfc3021 But IPv6 solves all that with its utterly inexhaustible address space. Hurrah. Oh, wait, we still have to do IPv4 for some time? Guess we're stuck with RFC1918 addresses for PtP links once the runout is done. Oh well, who needed functional inter-AS tracerouting anyways? /podium Nathan Eisenberg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Well, if you want to get technical, the minimum possible subnet in IPv4 over Ethernet is actually a /31. $employer uses these religiously in PtP Ethernet links, and they work flawlessly. Unfortunately, *BSD doesn't seem to implement RFC3021, which is really a pity, because it means all my firewalls use twice as many IPs as necessary on their uplinks. http://tools.ietf.org/html/rfc3021 But IPv6 solves all that with its utterly inexhaustible address space. Hurrah. Oh, wait, we still have to do IPv4 for some time? Guess we're stuck with RFC1918 addresses for PtP links once the runout is done. Oh well, who needed functional inter-AS tracerouting anyways? /podium Nathan Eisenberg I think the entire ISP operation I partly run has... three routers that support it, AFAIK. So for all practical intents and purposes, that doesn't exist for me. It would be nice, most definitely, if it were supported by more equipment, but it's just not (in my corner of the world, anyway). So yes, for equipment that supports it, you're right - a /31 is the smallest IPv4-over-ethernet subnet. (There's also a philosophical point of whether Ethernet can ever truly be a PtP media even when physically connected PtP...) -Adam ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
I think the entire ISP operation I partly run has... three routers that support it, AFAIK. So for all practical intents and purposes, that doesn't exist for me. It would be nice, most definitely, if it were supported by more equipment, but it's just not (in my corner of the world, anyway). So yes, for equipment that supports it, you're right - a /31 is the smallest IPv4-over-ethernet subnet. (There's also a philosophical point of whether Ethernet can ever truly be a PtP media even when physically connected PtP...) My Cisco 6509s/7204s/3550/3560/linux boxes support it just fine (philosophy aside, it *works* over ethernet, even in a test case when 'PtP' really meant 'these are the only two ports in the VLAN'). Anything I own with an ARM chip (Mikrotik, Ubiquiti, or general embedded hardware) in it, and my PFsense boxen, don't support it at all. Very sad - some days, it almost makes me want to roll a bunch of iptables boxes and reclaim a ton of usable IP space. Almost. :) Anyways, didn't mean to hijack the OP! Interested to see if Comcast is actually handing him a /29, or just 5 IPs out of a bigger subnet, and if they'll route that /29 to him. Nathan Eisenberg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] pfSense help with creating rules
Hello All, I build a box dedicated to pfSense, 3 NICS. WAN, LAN, what I thought would be a DMZ for my hosting. WAN works. LAN Works as I can plug directly into that card, get an IP and get out to where ever. I am having trouble with DMZ as I thought it would be as simple as going from DMZ - SWITCH - MY SERVERS WITH PUBLIC IP'S I am trying to open up port 80 coming from WAN to a specific address (75.xx.xx.27) which is plugged in the switch. Nothing. I cannot reach it. I plug the server into my cable modem directly (which is acting in pass through) and I can get to the server just fine. So I am confused on setting up rules I think. Right Now I have a rule on WAN source: any port: any Dest: 75.xx.xx.29 Start port: 80 End port: 80 Can anyone help me? I have tried creating rules this same from LAN and DMZ Is there a setting I must set to allow me to see my public boxes on the DMZ from behind the LAN? -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi David, I am having trouble with DMZ as I thought it would be as simple as going from DMZ - SWITCH - MY SERVERS WITH PUBLIC IP'S Do you have advanced outbound NAT enabled? You will need it. It will auto-create rules for LAN and DMZ, just delete the ones for the DMZ to allow straight routing of the public IPs. I do see that: 'Automatic outbound NAT rule generation' is indeed on. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
On Wed, Feb 8, 2012 at 5:07 PM, Jason T. Slack-Moehrle slackmoeh...@gmail.com wrote: I do see that: 'Automatic outbound NAT rule generation' is indeed on. Right, so your public IPs are getting NATed on their way through pfsense. Turn it off (ie, from automatic to advanced). db ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi David, I do see that: 'Automatic outbound NAT rule generation' is indeed on. Right, so your public IPs are getting NATed on their way through pfsense. Turn it off (ie, from automatic to advanced). Indeed I have tried that as well. So then I would create a rule from from WAN to a specific IP on the DMZ for any 80? I have had that rule in place but I dont get the site when I hit it. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
On Wed, Feb 8, 2012 at 5:13 PM, Jason T. Slack-Moehrle slackmoeh...@gmail.com wrote: So then I would create a rule from from WAN to a specific IP on the DMZ for any 80? I have had that rule in place but I dont get the site when I hit it. I think you're still talking about inbound NAT (aka, port forwards), which you don't need. You need to turn on outbound NAT and then delete every rule that is not sourced from your LAN. Then you need a firewall pass rule on the DMZ to let out what you want out, and a pass rule on the WAN to let in every source to dst port 80/TCP. db ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
am I missing something obvious? Would I need to possible restart the server itself or any switches? You're hitting the default deny rule on the DMZ interface. Rules on all interfaces are processed as 'inbound' to that interface - so return traffic from an HTTP request would be sourced from :80 with a destination of * (random source port the client OS picked). You have a rule which allows traffic from any port TO :80, so you're blocking your server's replies. The easiest thing would be to create a rule which allows all traffic sourced from your DMZ subnet on the DMZ interface, since that's your outbound. That gives you a typical default deny in, default allow out behavior. Also - go to Status-System Logs-Firewall. If you have 'log packets blocked by the default deny rule', you'll get useful feedback about whats getting blocked and why. Alternatively, you can create a deny deny at the bottom of your interface's rules with the 'log' flag on, and get the blocked packets that way. Nathan Eisenberg ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] pfSense help with creating rules
Hi Nathan, am I missing something obvious? Would I need to possible restart the server itself or any switches? You're hitting the default deny rule on the DMZ interface. Rules on all interfaces are processed as 'inbound' to that interface - so return traffic from an HTTP request would be sourced from :80 with a destination of * (random source port the client OS picked). You have a rule which allows traffic from any port TO :80, so you're blocking your server's replies. The easiest thing would be to create a rule which allows all traffic sourced from your DMZ subnet on the DMZ interface, since that's your outbound. That gives you a typical default deny in, default allow out behavior. I restarted the pfSense box and noticed that when it rebooted it had: WAN (wan) -- em1 -- 75.xx.xx.28 LAN (lan) -- em3 -- 172.16.254.1 DMZ (opt1) -- em2 -- NONE That is correct, right, since my servers in 75.xx.xx.xx are on the DMZ? Do I have to do anything to tell pfSense it should answer for my IP's? I recall when I ran untangle I had to sell it what IP's to answer for. Here is the only rule I have on DMZ, http://6colors.net/dmz.png but I still cannot reach the server on port 80 coming from LAN or even if I RDC to the outside someplace and come in via a browser. -Jason ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
