Why run pfSense in the cloud? A few scenarios: If you are empty, that means that we have an implicit deny all, that is, we will have to incorporate an allow rule to let network traffic pass.With the latest privacy concerns and the rise of VPN usage, we want to remind everyone you can run pfSense in the cloud and be your own VPN provider. The rest of the networks that we have configured with their corresponding VLANs are completely empty. We must remember that the rules are verified from top to bottom, if at the top we put a “block all”, we will automatically go offline. Next, we have permission to access anywhere from the LAN, both with IPv4 and IPv6. In the LAN we also have predefined rules, basically we will have a rule that prevents us from blocking ourselves to access the pfSense administration web interface, if we had the SSH server activated, a rule would also be incorporated here to allow access to the port of SSH. The third rule is the opening of ports that we have made. In the “Firewall / Rules / WAN” section we can see two predefined rules, which are activated by blocking the “private networks” and “bogon networks”, as we have explained previously. For certain applications, the “Floating Rules” are very useful, such as for pfblocker-ng, although normally these “Floating” rules will not be used. These “Floating” rules can be activated in the input, output directions or both, the use of input and output filtering could be more complex, so you should review them well before applying them. That is, the rules that we have in «Floating», if they affect an interface, will be verified before the rules that we are going to define specifically in the interface. We have an additional tab called “Floating”, these are special rules that affect one or more interfaces, and that are placed above the rules that we are going to define specifically in each of the interfaces. In the ” Firewall / Rules ” section we can see different tabs to create rules in the different interfaces, we have a total of five interfaces right now: WAN, LAN, Management, Teams, Guests. The rules that we create in the pfSense firewall is the most important part to correctly segment the network, and allow or deny certain network traffic that flows through the different physical and logical interfaces that we have created. We must remember that the rules are analyzed in series, from top to bottom, if we put a very general rule at the top, and the more specific ones at the bottom, the latter will never be satisfied, because previously a more general rule has been met. In the following screenshots you can see how to do it: This function allows us to have the 51400 open for the WAN, but internally we can “modify” it on the fly and use the 51500, for example. Redirect target port : it must be the same port as in “Destination Port Range”.Redirect target IP : type Single host, Address the private IP address to which you want to open the port.In the example we have opened port 51400. Destination Port Range : We have to configure a range of ports or only one, if we want a range of ports, in the «From» we put a port, for example the 60000, and in the «To» we put the final port, the 61000.Protocol : we choose the protocol, in the example it is TCP.In this menu we will have different configuration options, but basically what we will have to fill in is the following: To open the NAT, the first thing we have to do is go to the “Firewall / NAT” section, and in the “Port forward” tab create a new rule. If you open ports in the NAT, but you have the CG-NAT of your operator, it will be of no use to you. If you have a NAS server with an FTP, VPN or SSH server, and you want to access all these services from the outside, you will have to open different ports in the NAT to allow starting the connection. When we are in a NAT environment, you may need to open ports to access certain services from the outside.
0 Comments
Leave a Reply. |