I have a PFsense setup with a WAN, LAN and Management interface.
On the LAN interface, I want to block access to several LAN ip`s. These are accesspoints with a webinterface.
My rules are below. What am I doing wrong?
https://www.dropbox.com/s/nyrr2ot61tna3pj/fw.png?dl=0
Argh, ofc this cant be done using a router as it doenst pass traffic on the LAN, devices communicate directly with eachother
To elaborate, what you've done is create two rules. The rules say that any traffic coming in from any device on the LAN, can't have a destination of '5.1 ports 22-443 (or '5.2 any port) otherwise it'll be blocked. The problem is that if its already on the LAN and its destination is on the LAN as well, it'll never go via your router in the first place, so the rules won't ever be acted on.
Its a bit like having 3 PCs on a LAN and one of them has a firewall rule that if the other 2 send traffic between them it should be blocked - its useless and can't do anything.
Related
I have multiple virtual machine(vmware)(linux) but would like to make one as the server, meaning all the client who wants to access the internet, uses the server internet so, the server is able to view all the incoming and outgoing data packets.
Also, I would like to install another virtual machine to act as an IDS to track the server packet, if anything is wrong it is able to flag out.
Thanks for your help in advance
You can setup one Linux server as the gateway for the others. All you need is to create two virtual ethernet interfaces for it, one in bridged mode and other in virtual network mode.
One will be bridged with your actual network and act as the WAN, and the other will be act as a LAN gateway for others VM's.
So other VM's should use your server virtual network IP address as main gateway, and you can use tcpdump or wireshard or everything you like to sniff traffic forwarded.
One thing you need to configure on the server is IP forwarding option in sysctl, which is disabled by default:
net.ipv4.ip_forward = 1
You may find more relevant information here too.
Hope it will help you.
Hi I have a Huawei ADSL modem with a dynamic IP. I set up a dynamic dns with freedns and I can easily access my Virtual host on apache from outside my private network, from internet.
So trying to access it from a local network I get a modems login page.
I have the rule in my modems NAT to connect port 80 to my server but it seems it doesnt work from internal net.
My server hosting the virtual host is 192.168.0.1 , the modem has the 192.168.0.254 address.
I tried to put my external domain name into the /etc/hosts file, but if I do that then asterisk server gets confused.
What could be the cause of the problem ? And what would be the best solution to this problem ?
Should I set up a caching DNS on the private side of the net ?
Hugger is half right... Its because your router is blocking loopbacks. The easiest way around this is to edit the hosts file (See the Wiki page) on the computer that is behind the network to see the local IP of the computer as the virtual host your going for. For example if your server is on 192.168.0.1 and the virtual hostname is www.imrad.com then insert
192.168.0.1 www.imrad.com
into your hosts file. If your computer leaves the local network (like a laptop you take to work) and joins a network not behind your router you need to comment out the line in the hosts file.
well actually to access that you must find the local ip address of the server by going into command line/prompt and typing ipconfig /all then you will find ipv4 address. Take note of that.
Go to another computer and your that ip and it will show.
The reason that was happening is because the router/modem knows you are in its network so it will think you ar trying to go top the login page of it. That happens to me too.
I have the following problem:
I have Windows 2003 RAS VPN server configured with a single Nic (let's call it LAN1) behind a firewall (lets call it's public address WAN1). PPTP & L2TP ports are forwarded to the Server.
When a client (Windows or LINUX) in a remote network behind a firewall (LAN2) tries to connect to a PPTP VPN on the WAN1 everything goes fine.
When a second client in the same LAN2 tries to connect to the same VPN on the same WAN1 I get an error 629.
It's independant of which machine gets the first connection.
Apparently the problem is also independant of the router/firewall hardware of LAN2 (We have tested it from at least five different types of remote small router/firewalls - linksys, huawey, d-link, etc.)
The firewall WAN1 listens to two internet connections. The problem is independant of which external address the clients are pointing to (even if two different workstations point to different IP addresses to attempt to stablish a vpn).
Inside LAN1, there is no such limitation and multiple workstations connect just fine.
Theres also no limitation from different remote LANs.
Is this a limitation of PPTP protocol?
Thanx in advance.
From your description it sounds like the issue is at the remote end. You mention that when a second user from LAN2 attempts to reach the same VPN server at WAN1 you receive an error.
Depending on the firewall mechanism in use there can be a "limitation" that exists with regard to PPTP connection tracking and multiple VPN connections to the same server address.
Google: pptp multiple connections to same ip
Due to the way in which NAT tracks PPTP connections, specific modules need to be loaded in order to handle multiple connections to a single server.
If it's netfilter based, make sure 'nf_conntrack_pptp' and 'nf_nat_pptp' are loaded.
Every time I use a different router and different P2P program, I get the same problem - port forwarding. I then usually read random values of ports(TCP, UDP, whatever) and paste it into random places in my router setttings page and repeat this process until the damn thing starts working. As I am a bit tired of doing that i would like to understand the theory behind it a little bit, so that I can put the right things in right places immediately. Could anybody just explain it briefly to me in a few words? Apologies for lengthy description of the problem, but I didn't know how to describe the level of understanding that I am talking about in a more concise way.
Thanks.
Well, the router hides you from the outer world, so you can only make outgoing connections, for which router takes care of sending your requests to the outer world, receiving responses, and sending those back to you. No one can send a packet to you unless you have specifically asked for it—i.e. you can only receive responses.
In case on p2p, the ability to send packets to your machine is important if not vital. So what you do is ask router to forward (here! that's where the word comes from) all incoming packets to port X to your machine, port X.
Originally IP addresses were provided per device, now-a-days we tend to have 1 IP address per household (unless your doing something crazy), also called your external IP. Your external IP is your connection to the world via your router, but each computer within your network has it's own IP (called internal IP). Port forwarding allows the external world to establish communications with a specific computer.
A web server is a simple example, web services typically rely on port 80, what-if in your network you had 4 computers, 1 of which was your web server. How would the outside world know which PC to contact? Port Forwarding allows you to tell your router to direct internet traffic to that server.
I have a Sony Viao with LAN, wireless and mobile broadband. I am a software developer often working at a customers address on their LAN. Is it possible to dedicate a browser like chrome to a specific IP route such as the mobile broadband.
This would allow me to use chrome when on the customers sites to view websites blocked by the customers rules. e.g. Web based email clients like hotmail.
Note that this is different from adding a route to a specific site through a specified nic using a routing table. I want to specify my local application to bind to a specific NIC.
Any ideas. This will help not only me but contract software developers everywhere. Something is surely available.
Thanks
Dave
Programmatically, restricting yourself to a specific NIC is done by calling bind() with the NIC's IP address after creating the socket but before connecting. If you omit this step, the sockts interface will use a local IP address of 0.0.0.0 ("any") and a local port number of 0 ("any").
I don't believe there is any option in Chrome, FireFox, or MSIE to support this. You could always grab the source, change it, and compile it yourself. (Not fun, I know.)
Or, as Mr.Moose says, you can run a local http proxy and modify it's code to bind outgoing connections to the desired NIC.
Updating your routing table is probably easiest even if it's not exactly what you want.