My preffered solution would be Internet --> pfSense ---->LAN/DMZ but I think the main problem you have is the migration of a Live network.
You could have the OpenVPN work on pfSense. Also it can do all the Nat stuff. Adding the Netscreen and IPcop will only make the network more complicated without makeing it more secure, IMHO. However you know your circumstances better. If you are new to IPcop and pfSense then I would suggest that you focus on one distro - go for Ipcop or go for pfSense. Learning about both on a live production network is not going to help you sleep at night. pfsense is much newer than IPcop but the vision of the developers is amazing. There are rough edges here, but its a really great product. I would suggest that you dump the IPcop and go for the pfSense. You will learn a lot more and end up with a much more powerful firewall. What I usually do is install pfSense but keep the old firewall around. If the net admin sees a problem then he can put the old firewall back in again just by switching cables. There are almost always problems because this is the nature of networking, but you shjould be able to cope because the pfsense is REALLY excellent. sai On 1/30/07, AngChorEng <[EMAIL PROTECTED]> wrote:
Hi Sai, Do you have any other recommendation for better solution, please advice. Thank you. From: CE Ang > ----- Original Message ----- > From: AngChorEng > To: [email protected] > Sent: Monday, January 29, 2007 3:51 PM > Subject: Fw: [pfSense Support] Pfsense load balancer > and fail over for outgoing traffic > > > Hi Sai, > > Yes, from Internet --> pfSense ----> Netscreen ----> > Lan, DMZ, > > For DMZ internal server, it is still ok to use > static route. the traffic can be routed in only > using one layer port mapping from PFSENSE instead of > two layer of port mapping, however, for LAN, static > route is not recommended because of port mapping is > still preference for security concern, please > correct me if i am wrong > > My main concern is , i do have one OPENVPN server > (IPCOP)sitting after the netscreen firewall which is > using port mapping method, the authentication is > taken place after going through the netscreen with > allow port 1194, let me explain my existing senario > and workflow, from Internet --> pfSense ----> > Netscreen ----> Cisco core switch 4507R------>VLAN > server farm( IPCOP OPEN VPN), it is how my remote > user like senior manager, CEO get access to company > resource. below is the option for your review, > > Solution 1) Actually, i am thinking to replace my > netscreen firewall to IPCOP( we called it IPCOP A), > and migrate the exisiting OPEN VPN policy from the > box to IPCOP A, that would be centralize as whole, > with the new workflow, from Internet --> pfSense > ----> IPCOP A plus OPEN VPN---------> LAN in multi > vlan > > Solution 2) Alternatively, pfSense ----> Netscreen > ----> Cisco core switch--------> VLAN server farm( > OPENVPN), but it is require two layer of port > mapping. > > Solution 3) Pfsense-------> Pfsense with > OPENVPN-------> LAN in multi vlan > > if i pick the solution 2, that would be easier for > the implementation, i still can sustain the > netscreen and OPENVPN box and just concentrate on > PFSENSE in front end and port mapping, but, what is > the impact of two layer of port mapping, the reason > is, migrating OPEN VPN policy and replacing a > firewall is a nightmare. now, i am struggling to the > implementation of PFSENSE because of the impact > reflected to the whole network infracstructure, > please advice me if i am wrong, > > Please let me know if i am confusing you, i can > explain it in more detail, Thank you. > > > From: > > CE Ang > > --- sai <[EMAIL PROTECTED]> wrote: > > > Internet --> pfSense ----> Netscreen ----> Lan, > DMZ > > Is this what you mean? > > > > Yes, this can be done. It means that you do > NATting > > twice, which is > > not good, but it is workable. You just need a new > > private subnet > > between the pfSense ----> Netscreen > > > > It might be easier to just replace the Netscreen > so > > that if something > > is messed up you can put the Netscreen back in and > > your network works > > again. > > > > sai > > > > On 1/29/07, AngChorEng <[EMAIL PROTECTED]> > > wrote: > > > > > > > > > Hi Sai, > > > > > > Thanks for your message, i had successfully > > installed the PFSENSE with > > > lastest snap, thank you. > > > > > > By the way, do you come cross a solution with > two > > layer of port mapping via > > > two firewall, let me brief you my network > > infracstructure, so that, you can > > > understand my question, currently, i have one > > netscreen firewall as a front > > > end box to control all the in/out bound of all > the > > traffic even port mapping > > > to internal server by using pulic IP. the reason > > of putting a new box in > > > front of netscreen is to provide load balancer > and > > fail over function with > > > two WAN lines, however, initially, I am having > > some difficulty of > > > implementing the PFSENSE is due to the IP > > addressing restructure, in order > > > to get it done, i have to step ahead by changing > > the outbound netscreen's > > > interface to Private IP, until this stage, > PFSENSE > > becomes the main control > > > of inbound port mapping, with this new design, > do > > u think that is the > > > inbound traffic can be routed via two layer of > > firewall by port mapping > > > method to DMZ and LAN internal server, please > > advice, > > > > > > Sorry for the confusion and long story. please > let > > me know if you need more > > > detail about this, thanks. > > > > > > > > > > > > > > > From: > > > > > > CE Ang > > > > > > > > > --- sai <[EMAIL PROTECTED]> wrote: > > > > > > > the latest snapshots would be here: > > > > > http://snapshots.pfsense.com/FreeBSD6/RELENG_1/ > > > > which have improved > > > > the load balancing user interface. > > > > > > > > On 1/26/07, sai <[EMAIL PROTECTED]> wrote: > > > > > the download mirrors are here: > > > > > > > http://pfsense.com/mirror.php?section=downloads > > > > > > > > > > a copy of the Live iso is here: > > > > > > > > > > > > > > > http://pfsense.basis06.com/download//downloads/pfSense-1.0.1-LiveCD-Installer.iso.gz > > > > > > > > > > md5 of the iso.gz : > > > > > > > > > > > > > > > http://pfsense.basis06.com/download//downloads/pfSense-1.0.1-LiveCD-Installer.iso.gz.md5 > > > > > > > > > > I hope that this is what you were asking for > > > > > > > > > > sai > > > > > > > > > > On 1/26/07, AngChorEng > <[EMAIL PROTECTED]> > > > > wrote: > > > > > > Hi Scott, > > > > > > > > > > > > Thanks for your information, sorry for the > > same > > > > question, do you have any > > > > > > source of address in LIVECD.iso download > for > > my > > > > PFSENSE installation, by > > > > > > using livecd, it is much straight forward > > and > > > > able to run it in trial mode > > > > > > before installing it to hard-disk. please > > > > advice. > > > > > > > > > > > > Thank you. > > > > > > > > > > > > > > > > > > --- Scott Ullrich <[EMAIL PROTECTED]> > === message truncated ===
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
