7 Jan
2018
7 Jan
'18
10:38 a.m.
In my career, i have built several vpn's through a firewall and nat'ing the
public IP to a private IP address. However, I have only done this on Cisco
equipment, that is mainly what i work on all the time. It would be a
static IP nat if you have a second public IP address. If you do not, you
will have to do a static port nat sharing your outside public IP address
that you get from your provider. Which it sounds like you are on the right
track. Pfsense should be able to do that, but it has been quite sometime
sense i have messed with Pfsense. Putting it in the DMZ is very wise.
Also, a lot of firewalls have a geolocation block function. It appears
PFsense has this as well if you add in the PfBlocker package. In several
scenario's, a lot of people don't need to communicate with specific
countries, therefore, what i have done over the years is block to and from
traffic to certain countries, like in your instance Russia. You could do
it by public IP blocks, but the administrative overhead with doing this is
a nightmare. So, geolocation block, you just select the country and the
firewall does the rest, just for another added layer of protection.
Take care, Tony
On Fri, Jan 5, 2018 at 6:36 PM, Tom Cardinal <ki4szj(a)gmail.com> wrote:
Greetings,
I was working with Dan Cooper last spring to turn my pfSense box into an
ampr gateway. At the time I was trying to learn how IPIP worked AND how BSD
(pfSense) worked. I'm pretty well versed in linux... BSD... not so much.
At the time I moved to Linux and Lynwood helped me get my head around how
the IPIP tunneling works. After seeing the volume of traffic that tries to
crack into my residential ISP connection (even though it fails) I've
decided to put my ampr gateway into a DMZ. I'm currently in the process of
moving my AMPR gateway into a pfSense DMZ.
I work in a loosely security related position at work and I'm doing this
as a security measure to knock down some of the noise my Linux
gateway/Router/Firewall/AMPRgateway was seeing, mostly from Russia, China
and other places that I didn't research. My new AMPR gateway will still be
on Linux, actually Raspbian on a Raspberry Pi, but the only traffic it'll
ever see is encapsulated traffic and traffic from my network because all of
the other noise will be filtered by the pfSense box and won't exist in my
DMZ.
Out of the box the pfSense user interface doesn't have support for
ipencap or AX25. I did a little bit of research (google) and found an
older post on the pfsense forum about which files to edit to add ipencap
and ax25 to the UI. Also, I just asked on the pfSense subreddit to see if
there are any other places within the pfSense UI to edit which protocols
are available for use.
Is anyone else using this method to NAT forward IPIP traffic to an
internal gateway (in my case using pfSense). I'm looking to find out if
I've missed anything with the port forwarding before I move forward. I know
Brian (N1URO) was working with IPIP tunneling behind a NAT and I think
(THINK) this might work.
So... here's what I've done.
pfSense version is 2.4.2p1. File edits follow...
In file:
/usr/local/www/firewall_nat_edit.php
On line 708, change:
$protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF";
To:
$protocols = "TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP PIM OSPF IPENCAP
AX25";
In file:
/usr/local/www/firewall_nat_out_edit.php
On line 510, change:
$protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync";
To:
$protocols = "any TCP UDP TCP/UDP ICMP ESP AH GRE IPV6 IGMP carp pfsync
IPENCAP AX25";
In file:
/usr/local/www/firewall_rules_edit.php
Insert as line 1315 and 1316:
'ipencap' => 'IPENCAP',
'ax25' => 'AX25',
--
Tom / n2xu / MSgt USAF (Ret) / BSCS, CASP
_________________________________________
44Net mailing list
44Net(a)mailman.ampr.org
https://mailman.ampr.org/mailman/listinfo/44net