case study (help)

abdelilah

abdelilah

Hi everyone,

I really need your help, by this post I'm not trying to get the job done by someone else but instead I want directions since I'm completely lost in this network terminology :r :
  • I don't have any VLANs and I'm not planning using them.
  • I have a pfSense firewall with two interfaces LAN (192.168.1.150/22)/WAN (192.168.0.150/22) connected directly to the switch.
  • Multiple routers but in this case I'm experimenting in the 192.168.1.2 in order not to blow the production network, connected also directly to the switch.
  • A FreeBSD Squid proxy 192.168.1.72 to manage traffic connected to the switch.
  • Client with 192.168.0.X addresses.
  • Servers and routers have a 192.168.1.X addresses.
My purpose is to make my proxy 192.168.1.72 mandatory to go the Internet (which I guess requires redirecting) because some guys are trying to bypass my proxy by simply changing IE setting.

My second goal is to be able to manage all the traffic through my pfSense knowing that I have four routers and only two interfaces in my firewall.

Finally a colleague of mine told that this was feasible with only two interfaces on the firewall by setting up a DMZ. I don’t know how though.

Thank you in advance.
 
The networks 192.168.1.150/22 and 192.168.0.150/22 overlap and are in the same network segment. Are you sure they shouldn't be a /24 instead?

Code: 
$ ipcalc 192.168.0.150/22
Address:   192.168.0.150        11000000.10101000.000000 00.10010110
Netmask:   255.255.252.0 = 22   11111111.11111111.111111 00.00000000
Wildcard:  0.0.3.255            00000000.00000000.000000 11.11111111
=>
Network:   192.168.0.0/22       11000000.10101000.000000 00.00000000
[b]HostMin:   192.168.0.1          11000000.10101000.000000 00.00000001
HostMax:   192.168.3.254        11000000.10101000.000000 11.11111110[/b]
Broadcast: 192.168.3.255        11000000.10101000.000000 11.11111111
Hosts/Net: 1022                  Class C, Private Internet
 
Hello sirDice and thank you for you answer, Yes I confirm they are in /22, but since I'm not a network expert I can't confirm whether they should be in a /22 or /24 subnet (that's why I'm posting :) )
 
Did you really say that both the LAN and WAN interfaces are connected to the same switch and are using the same ethernet segment? That is not going to work unless you also employ some technique to separate the two segments on the switch somehow, VLANs for example.

Change the subnets to /24 and they won't overlap anymore.
 
Clients are on the LAN side and should have an 192.168.1.0/24 address. You should be able to ping(8) the LAN side of the firewall (192.168.1.150). Same for the servers (especially the proxy server on 192.168.1.72), clients should be able to ping them.
 
I will run out of IP addresses if I switch back the clients to a /24 configuration, however I can ping the clients which are on the /22 from the firewall which is on the /24 configuration and vice versa, I've done the test many times and it works.
 
I'd really suggest getting help from somebody that has a good understanding of networking. As things are moving now you are very likely to completely hose the network with everything on it.

It's not to put you down but you seem to lack even the most basic networking skills. And not doing it properly could mean you'll end up in a world of hurt.
 
Here is the test :
Code: 
root@BSDproxy:/root # ping 192.168.1.150
PING 192.168.1.150 (192.168.1.150): 56 data bytes
64 bytes from 192.168.1.150: icmp_seq=0 ttl=64 time=0.315 ms
64 bytes from 192.168.1.150: icmp_seq=1 ttl=64 time=0.212 ms
64 bytes from 192.168.1.150: icmp_seq=2 ttl=64 time=0.206 ms
^C
--- 192.168.1.150 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.206/0.244/0.315/0.050 ms

And here is my config (proxy side):

Code: 
root@BSDproxy:/root # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether 00:1f:29:d8:7e:30
        inet 192.168.1.72 netmask 0xfffffc00 broadcast 192.168.3.255
        inet6 fe80::21f:29ff:fed8:7e30%em0 prefixlen 64 scopeid 0x1
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

And here is the firewall:

Code: 
[2.0.3-RELEASE][root@firewall.mynetwork.local]/root(1): ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO>
        ether e8:39:35:4f:41:5e
        inet6 fe80::ea39:35ff:fe4f:415e%em0 prefixlen 64 scopeid 0x1
        inet 192.168.0.150 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=43<PERFORMNUD,ACCEPT_RTADV>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:1e:2a:c0:47:84
        inet6 fe80::21e:2aff:fec0:4784%re0 prefixlen 64 scopeid 0x2
        inet 192.168.1.150 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=43<PERFORMNUD,ACCEPT_RTADV>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=41<UP,RUNNING> metric 0 mtu 1536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        nd6 options=43<PERFORMNUD,ACCEPT_RTADV>
pflog0: flags=100<PROMISC> metric 0 mtu 33664
 
Thank you sirDice for the advice but I do think that if someone made it I can do it also but all I need are hints and directions, it can take the time it needs but I'm ready to learn and to trial while taking precautions (I'm using a secondary router as I mentioned :) )
 
You got the basics working. Now it's time to think about separation of the networks. If you're still connecting both interfaces to the same switch stop and get another switch for the WAN side if necessary, depending on the equipment you can just plug the WAN cable to the upstream device, router/modem whatever it is.
 
Thank you kpa, I've mounted a new switch (Cisco SFE2000 / Level 3) where I connected the WAN interface of the router, here is the new setup:

LAN -> Switch 1
WAN -> Switch 2
The two switches are interconnected via WAN cable.

Should I also plug all the routers on the new switch? Thanks in advance.
 
No, separate the two networks completely. Don't interconnect the switches directly with a cable. I understand that you can get a "DMZ" by leaving them connected like that but it's a seriously insecure setup and to be avoided if possible.
 
Ok, I've disconnected the two switches. Should I keep the routers on switch one? Or should I plug them on switch 2?

Thanks a lot for your help you're really healing my ego :)
 
A picture says more than a thousand words. And I needed some exercise with graphics/dia anyway.

Concept of a DMZ:

firewall%20concept.jpeg


The DeMilitarized Zone or DMZ is like the bit of "no man's land" between two borders or, in this case, two firewalls. It's neither friendly (LAN) nor hostile (Internet).

Most people however do not have the budget for two firewalls so they use one firewall with multiple interfaces to archive the same effect:

firewall%203%20interfaces.jpeg


Your situation is probably more like this (without a DMZ):

firewall%20without%20dmz.jpeg


What you want to do is still possible. Simply block all traffic on the firewall from the LAN to the Internet. And only allow traffic to the Internet from the proxy server. That basically forces everybody to use your proxy server. If they change the proxy settings on the client they cannot connect to anything. It may not be "stealthy" but it sure is effective :e
 
Thanks to both of you, I've done some testing yesterday, by plugging the router in the WAN switch 2 but I didn't succeed and made the Internet completely unreachable from the LAN side. Then I rolled back, to be honest I didn't complete the reading of NAT/Firewall I'll try to do it ASAP, by the way what the default firewall used by pfSense?

Thank you in advance.
 
Hi everyone, thank you for your help, I've done it by forwarding all WAN traffic to my proxy which makes it mandatory using the physical separation shown above, now I have to migrate all the network services gradually, a lot of work I presume, again many thanks for your help it proves me again that -nearly- no one is genius you just need the will and patience to get the job done :).
 
You must log in or register to reply here.
Back
Top