Verified Commit 285a9506 authored by Mike Jones's avatar Mike Jones 🌶

Finalise pfSense configuration article

parent 3288d333
Pipeline #278 passed with stage
in 33 seconds
......@@ -13,6 +13,7 @@ description: |
* [Part 1 (Introduction, OVH configuration.)](/posts/2019/02/13/remote_proxmox_lab_intro/)
* [Part 2 (Configuring Proxmox. You're here!)](#)
* [Part 3 (Installing pfSense.)](/posts/2019/02/17/installing_pfsense/)
* [Part 4 (Configuring pfSense.)](/posts/2020/01/11/configuring_pfsense)
Now, we'll need to install Proxmox on the server. I won't cover the basic
installation in this post, but I am using Proxmox VE 5, which is available as a
......
......@@ -12,6 +12,7 @@ description: |
* [Part 1 (Introduction, OVH configuration. You're here!)](#)
* [Part 2 (Configuring Proxmox.)](/posts/2019/02/13/configuring_proxmox/)
* [Part 3 (Installing pfSense.)](/posts/2019/02/17/installing_pfsense/)
* [Part 4 (Configuring pfSense.)](/posts/2020/01/11/configuring_pfsense)
## Overview
......
......@@ -12,6 +12,7 @@ description: |
* [Part 1 (Introduction, OVH configuration.)](/posts/2019/02/13/remote_proxmox_lab_intro/)
* [Part 2 (Configuring Proxmox.)](/posts/2019/02/13/configuring_proxmox/)
* [Part 3 (Installing pfSense. You're here!)](#)
* [Part 4 (Configuring pfSense.)](/posts/2020/01/11/configuring_pfsense)
## First boot
......
......@@ -14,53 +14,75 @@ description: |
* [Part 3 (Installing pfSense.)](/posts/2019/02/17/installing_pfsense/)
* [Part 4 (Configuring pfSense. You're here!)](#)
Finally, we need to forward traffic from the WAN to internal VMs.
## Connecting a virtual machine to the router
* Create a new VM in Proxmox
* Set its network device to use vmbr2 (OPT1 in pfSense)
Firstly, a new Proxmox virtual machine must be created. Ensure its network device
is set to `vmbr2` (which is configured as the OPT1 device in pfSense).
## Setting up virtual IP addresses
* Firewall -> Virtual IPs
* Add:
- Type: "Proxy ARP"
- Interface: "OPT1"
- Address type: "Network"
- Address(es): "10.5.4.2" / "32" (single IPv4 address)
- Description: Not parsed
* Add:
- Type: "Proxy ARP"
- Interface: "WAN"
- Address type: "Network"
- Address(es): "5.39.60.71" / "32" (single IPv4 address)
- Description: Not parsed
Virtual IPs are required for NAT. [Here is pfSense's official documentation](https://docs.netgate.com/pfsense/en/latest/book/firewall/virtual-ip-addresses.html).
1. From the "Firewall" menu, select "Virtual IPs".
2. Add two new virtual IPs with the following settings:
1. The internal IP address:
- Type: "Proxy ARP"
- Interface: "OPT1"
- Address type: "Network"
- Address(es): "10.5.4.2" / "32" (single IPv4 address)
- Description: Not parsed
2. The external IP address:
- Type: "Proxy ARP"
- Interface: "WAN"
- Address type: "Network"
- Address(es): "5.39.60.71" / "32" (single IPv4 address)
- Description: Not parsed
## Configuring 1:1 NAT
* Firewall -> NAT -> 1:1
* Add:
Next, we will bind all traffic for the external IP to an internal IP address.
1. From the "Firewall" menu, select "NAT", and then "1:1".
2. Add a new rule:
- Interface: "WAN"
- External subnet IP: "5.39.60.71"
- Internal IP: "Single host" "10.5.4.2"
- Destination: "Any"
- Description: Not parsed
This forwards all traffic sent to the external IP address (5.39.60.71) to the
internal VM (10.5.4.2).
## Firewall rules to permit traffic to the servers
(HTTP/HTTPS example)
For this example, the VM installed requires HTTP and HTTPS traffic to be allowed
to the VM, so we need two firewall rules on the WAN device.
Add rules to allow access from the internet to internal servers:
1. From the "Firewall" menu, select "Rules".
2. Add two rules:
* HTTPS:
- Action: "Pass"
- Interface: "WAN"
- Address family: "IPv4"
- Protocol: "TCP"
- Source: "Any"
- Destination: "Single host or alias" "10.5.4.2"
- From: "443"
- To: "443"
- Description: Not parsed
* HTTP:
- Action: "Pass"
- Interface: "WAN"
- Address family: "IPv4"
- Protocol: "TCP"
- Source: "Any"
- Destination: "Single host or alias" "10.5.4.2"
- From: "80"
- To: "80"
- Description: Not parsed
* Firewall -> Rules
* Add:
- Action: "Pass"
- Interface: "WAN"
- Address family: "IPv4"
- Protocol: "TCP"
- Source: "Any"
- Destination: "Single host or alias" "10.5.4.2"
- From: "443"
- To: "443"
- Description: Not parsed
* Add: (the same but for port 80)
Further similar rules can be added for any other ports that need to be accessible
from the WAN.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment