OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of budspencer »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - budspencer

Pages: [1]
1
General Discussion / Two-firewall setup: Route from internal LAN to DMZ
« on: March 08, 2022, 06:01:28 pm »
I'm setting up a dual firewall infrastructure as follows:

pfSense -> DMZ ->OPNSense -> internal LAN

The IP ranges and interfaces are as follows:
pfSense Server:
  - WAN interface: DHCP
  - DMZ interface: 10.22.0.1/24
  - Interface connecting this firewall with the internal: 10.23.0.1/24

OpnSense Server:
  - WAN interface: (disabled)
  - Interface to pfSense firewall: 10.23.0.2/24
  - Internal LAN interface: 10.24.0.1/24

The basic stuff like VPN and stuff within the internal LAN works. Now I'm struggling with setting up correct routes to access the DMZ from the internal LAN.

For example, I'm trying to ping server 10.22.0.2 in the DMZ from server 10.24.0.4 in the internal LAN. Obviously, it cannot be reached yet, because I need to somehow route to 10.22.0.0/24 via 10.23.0.1 (I guess).

How should I configure routing in this case? Or is something wrong with my network IPs?

2
Virtual private networks / Connect to OpenVPN via two firewalls behind another
« on: November 01, 2021, 04:40:11 am »
I have a pfSense Firewall as a first line of defense with 3 NIC ports:
- P0: WAN
- P1: DMZ Switch
- P2: Crossover Cable to a second firewall F2. This is the only way this firewall should reach FW2. The two share a subnet solely for the link.

The second firewall is an OPNsense with very similar configuration:
- P0: WAN (actually disabled, only enabled as management fallback (dedicated host))
- P1: Crossover cable coming from FW1
- P2: Plugged to internal lan switch

My original idea was to filter all traffic coming from the internet through FW1:
- OpenVPN should be forwarded to FW2
- Everything else that is allowed should go to the DMZ

OpenVPN itself works when connected to FW2 via WAN. As mentioned, this is not what I intended. Instead I'm trying to connect the VPN client to the public IP of FW1. But in that case I'm getting SSl erors like:

Quote
Authenticate/Decrypt packet error: bad packet ID (may be a replay)(..)

I've tried a few things already, like enabling NAT reflection in pfSense. I have two questions here:

1) Is it actually doable? Is it possible to forward OpenVPN to an internal IP of a second FW2, without doing the SSL handshake at FW1?

2) From a security standpoint I preferred the idea of having a first line of defense. Though that was more like an idea. How relevant is it from a security standpoint? Is exposing VPN via the second FW2 considered to be equally safe?

3) What alternative would you suggest to this setup, where the internal network should have some "more than default" be secured? (I know that question sounds vague. I'm looking for opinions and ideas).

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2