Linux gateway/router issues, please help!

[HawkMan]

Do you ever plan on becoming a network engineer or network manager at a larger corporation with network management as you main responsibility ? If so you might want to use the Cisco, however in that case you'd probably be better of using it as a learning tool and experiment with it. and you probably don't want to experiment to much with your main route to the internet :p

[+BudMan MVC]

Do you have plans to work in the IT field as network guy? Are you going for your CCNA? If not knowing the IOS of cisco gets you nothing. And again lets learn the basic concepts before jump into the inner workings of cisco's ios.

And a 2600 is just that a router - does it have the firewall feature set installed?

http://www.cisco.com...ide/fw3600.html

Again your looking to be dropped off in the middle of the ocean without so much as even some floaties let alone a life vest.

Here is the other point - wanting to play with the inner workings of iptables or pf or ipfw on freebsd or any of the other firewalls on linux/bsd that is great - but not sure I would use it as my gateway to the internet and firewall between these other machines on the .0 while your on a steep learning curve.

Why not play with those things inside the safety of your own network. You can quite easy split your network up as much as you want once you have isolated it from the hostiles on .0 network ;)

If you don't have real hardware - you can play with using any linux/bsd distro as router/firewall all you want just on a few VMs. Same goes for cisco, if you know someone that can get you the images (hmm wonder who might be able to help you there?<grin>) you can setup fairly extensive cisco lab just using http://www.gns3.net/

[Captain_Rainbowbeard]

Do you ever plan on becoming a network engineer or network manager at a larger corporation with network management as you main responsibility ? If so you might want to use the Cisco, however in that case you'd probably be better of using it as a learning tool and experiment with it. and you probably don't want to experiment to much with your main route to the internet :p

Oddly enough I do have long(ish) term aspirations to get into networking, not just as a field of study but as a career path also, I have my CCNA self study guided here at home and was working on this a little until a friend recommended that if I wish to break into the IT industry I should probably take the short route initially and get into helpdesk work first as a 'foot in the door'. I already have an MCTS qualification and am some way towards gaining an MCITP certificate, hope to take exam next month :laugh:

You are correct though that messing with my main route to the internet is probably not the most recommendable option, I like my internet! :D

Do you have plans to work in the IT field as network guy? Are you going for your CCNA? If not knowing the IOS of cisco gets you nothing. And again lets learn the basic concepts before jump into the inner workings of cisco's ios.

And a 2600 is just that a router - does it have the firewall feature set installed?

I'm unsure if it does have the firewall feature set installed though would have been prepared to do this myself, of course with some guidance from online walkthroughs and how-to's (the source of a good portion of my current knowledge)... :rolleyes:

Here is the other point - wanting to play with the inner workings of iptables or pf or ipfw on freebsd or any of the other firewalls on linux/bsd that is great - but not sure I would use it as my gateway to the internet and firewall between these other machines on the .0 while your on a steep learning curve.

Why not play with those things inside the safety of your own network. You can quite easy split your network up as much as you want once you have isolated it from the hostiles on .0 network ;)

Fair point, though as before mentioned I would like to make sure that my web/FTP server is as secure from potential attacks as possible and I figured a hardware firewall between me and the outside world would be the best way to achieve this. If you could offer any alternative solutions that would give me the security and piece of mind I would like I'm quite open to suggestion...

If you don't have real hardware - you can play with using any linux/bsd distro as router/firewall all you want just on a few VMs. Same goes for cisco, if you know someone that can get you the images (hmm wonder who might be able to help you there?<grin>) you can setup fairly extensive cisco lab just using http://www.gns3.net/

I have a real, hardware based Cisco lab at home compliments of an old friend when I bought my CCNA study guide comprising of 2x 2600 series routers, 1x 2500 series router and a Catalyst 2900 XL series switch to 'play' around with (complete with crossover cables, and rollover cable with DB9 adapter to access the console), also have a copy of Cisco Networking Academy, though would still be quite interested in getting hold of those images... (cough, cough...) :rolleyes:

VMs also sound like a reasonable idea for experimentation, I do have VMware with VIX and VSphere too, would be interesting to play with some virtualized environments, particularly considering that it seems to be a much more common standard for large businesses to use these days than individual, physical hardaware.

[n_K]

From what I remember of cisco, only the catalyst series of devices had firewalls.

[Captain_Rainbowbeard]

From what I remember of cisco, only the catalyst series of devices had firewalls.

I understand that the Cisco IOS Firewall feature set IS available for the 2600 series routers though does not come pre-installed, this can be downloaded from Cisco here:

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t1/feature/guide/fw3600.html

[+BudMan MVC]

"though would have been prepared to do this myself"

Just so you know - updating those would not be free ;) Cisco is not cheap!! You can pick up older hardware from 3rd party for not all that much. But the images they have installed is where lots of cost comes from.

Now (cough, cough) you might have alternate sources for your images?? Now some people might be ok with (cough, cough) sharing images if they know its only going to go on VM for learning.. Putting on actual hardware is a different matter, and brings into question other concerns of trust and where that hardware might end up in the end, etc.

As to securing your network - any of the distros out there will be good. Keep in mind you made no mention of an application firewall or reverse proxy. If you looking to secure web/ftp applications a normal firewall does not promise any extra security for flaws/exploits into those applications.

Your firewall to will allow you to secure it from who you don't want to access it - but if you open that up to the public net, then the security of the application comes down to that application. Not the firewall that just provided access - if that is your concern then you need to look for a reverse proxy, etc. that can filter for application exploits and block them, etc.

edit: that is info about the feature set, not the actual feature set image. Again (cough, cough) actual purchase of the feature set is NOT CHEAP!!

[Captain_Rainbowbeard]

"though would have been prepared to do this myself"

Just so you know - updating those would not be free ;) Cisco is not cheap!! You can pick up older hardware from 3rd party for not all that much. But the images they have installed is where lots of cost comes from.

Now (cough, cough) you might have alternate sources for your images?? Now some people might be ok with (cough, cough) sharing images if they know its only going to go on VM for learning.. Putting on actual hardware is a different matter, and brings into question other concerns of trust and where that hardware might end up in the end, etc.

Of course, I wouldn't even dream of promoting the unauthorized use and sharing of proprietary images for illegitimate purposes, even if the hardware were only to be used for study purposes and will not be sold or passed on to anyone else after use. I fully understand and adhere to strict proprietary software licences, after all, all of my software is entirely legit and paid for... :rolleyes: (or open source in accordance the GNU General Public License Agreement)

As to securing your network - any of the distros out there will be good. Keep in mind you made no mention of an application firewall or reverse proxy. If you looking to secure web/ftp applications a normal firewall does not promise any extra security for flaws/exploits into those applications.

Your firewall to will allow you to secure it from who you don't want to access it - but if you open that up to the public net, then the security of the application comes down to that application. Not the firewall that just provided access - if that is your concern then you need to look for a reverse proxy, etc. that can filter for application exploits and block them, etc.

Could you recommend a 'free' solution of this manner for Server 2008 R2?

edit: that is info about the feature set, not the actual feature set image. Again (cough, cough) actual purchase of the feature set is NOT CHEAP!!

My mistake, this was a link someone else sent me...

[n_K]

If you want you could do what I did, keep the NAT setup on debian and get SNORT/Suricata and put that on it and run it in IPS which will protect your servers and clients :)

[Captain_Rainbowbeard]

If you want you could do what I did, keep the NAT setup on debian and get SNORT/Suricata and put that on it and run it in IPS which will protect your servers and clients :)

Nice idea though sadly this still leaves me with the issue of my improperly configured NAT not allowing me access the FTP server from outside of my .1 network and vice/versa :/ and thus back to the beginning of my problem...

[+BudMan MVC]

Or you could just run pfsense and install the snort package.

Who do you want to be able to access your ftp server?? People on the .0 or people on the internet? Cuz people on the internet is not going to happen unless you have control or access to the nat router between the .0 and the internet to create the forward to your .0 address.

[Captain_Rainbowbeard]

Or you could just run pfsense and install the snort package.

Who do you want to be able to access your ftp server?? People on the .0 or people on the internet? Cuz people on the internet is not going to happen unless you have control or access to the nat router between the .0 and the internet to create the forward to your .0 address.

People on the internet mostly, though accessing the the router that connects to the internet is no problem, the first thing I did when I moved in was demanded the admin password to the router configuration setup from the landlord so am able to forward ports no problem :laugh: Was able to access my web server via the internet before I introduced my Debian nat gateway to the scenario...

[sc302 Veteran]

many routers do not like a double nat scenerio. esp soho routers. You would have to forward the port to your debian from your router then forward the port from your debian to your computer.

[Captain_Rainbowbeard]

many routers do not like a double nat scenerio. esp soho routers. You would have to forward the port to your debian from your router then forward the port from your debian to your computer.

Makes sense, though was having trouble forwarding ports using IPtables due to unfamiliarity with the correct syntax, found a great deal of guides on the web though none of them really explained in detail exactly how to correctly construct the syntax of the tables and as such any attempt I made to do so broke the nat routing on the Debian box. I am beginning to sway towards the idea of installing pfsense and setting this up as this would allow me to configure the route properly and as such I would be able to see what correct IPtables and configurations should look like for my purposes.

[+BudMan MVC]

"I would be able to see what correct IPtables and configurations should look like for my purposes."

Not if you go with pfsense it wouldn't it would allow you to see the correct PF syntax - since pfsense runs on freebsd, and freebsd uses PF not iptables.

You could go with a router/firewall disto that uses iptables though if that is your ultimate goal. I do believe ipcop using iptables since it is linux based. If you goal is to be able to use a simple gui to admin iptables, and then look at the underlying actual iptables rules then something other than pfsense should be your choice.

If your goal is to have a very stable, secure and very well supported and developed distro to use as your gateway/firewall then I would highly suggest pfsense.

As sc302 stated if you have access to the .0 nat router to the internet - then yeah you just need to create the forward to whatever your router .0 wan interface is. Good idea to set this as static outside the .0 routers dhcp servers scope, or setup dhcp reservation in that router for your routers wan interface mac so it always has the same IP if your going to do this.

My question is what if some user on the .0 wants to forward ports to their IP - do they also have access? Only 1 person would be able to forward port 21.

Also keep in mind with ftp, and double nat you can run into some issues. Are you going to be doing active or passive connections? Now many soho and router distros do have ftp helpers to work through the data port to be open and changing the IP to the public one that the ftp server might send, etc. But with a double nat you can have problems, etc. You can make it work if you have access to both routers, but its more complicated to be sure.

As with anything its a good idea to fully understand the protocol in question to get it to work through a firewall - here is a great reference for ftp active vs passive, etc.

http://slacksite.com/other/ftp.html

[n_K]

When I was doing the iptables for my two snort IPS systems, I searched and searched the net and found virtually nothing, some examples that didn't really work, had to spend ages looking at how iptables worked and eventually (after many attempts) got my own syntax and rules to work fine.

[Captain_Rainbowbeard]

Not if you go with pfsense it wouldn't it would allow you to see the correct PF syntax - since pfsense runs on freebsd, and freebsd uses PF not iptables. You could go with a router/firewall disto that uses iptables though if that is your ultimate goal.

Once again my mistake, at this point I am not too concerned about getting to grips with IPtables specifically, just making a working configuration is my current goal...

My question is what if some user on the .0 wants to forward ports to their IP - do they also have access? Only 1 person would be able to forward port 21.

Fortunately no one else in the building has any requirement, desire or technical know-how to forward ports so access to port forwarding configuration is entirely in my hands and the entire port range is available for my use. :D

Also keep in mind with ftp, and double nat you can run into some issues. Are you going to be doing active or passive connections? Now many soho and router distros do have ftp helpers to work through the data port to be open and changing the IP to the public one that the ftp server might send, etc. But with a double nat you can have problems, etc. You can make it work if you have access to both routers, but its more complicated to be sure. As with anything its a good idea to fully understand the protocol in question to get it to work through a firewall.

Thanks for the link, I will look into it later today before I set up my pfsense, you are correct that I should understand what I am going to do before I set it up, with regards to potential issues with double NAT with FTP I am quite happy to explore my options and do a little experimentation...

[Captain_Rainbowbeard]

Ok, so I have installed pfSense as my router/firewall OS and am rather happy with this, the web based configuration is wonderful and very feature rich and now, happily, NAT is working correctly and proving a smooth connection with no issues. It's certainly more than I could have hoped for and any previous reluctance I had regarding using this has now evaporated though, sorry to say, I do still require some further advice...

I am having some issues with port forwarding, to be quite honest I am unsure of how to make double port forwarding work correctly, I have been testing this with my soulseek client as it allows for the option of testing if your port forwarding configuration is working correctly and am repeatedly being told that the port is closed. here are some details that may help:

ADSL router IP is still 192.168.0.1

WAN interface on pfSense box is 192.168.0.20 (provided by DHCP on .0 subnet, statically assigned)

LAN interface on pfSense box is 192.168.1.1 (providing DHCP to .1 subnet)

Soulseek client is running on .1 subnet on workstation 192.168.1.100

Soulseek port 40069

Could anyone please advise on how to correctly set a firewall rule on my pfSense to forward this port correctly? I have already opened port 40069 on the ADSL router to 192.168.0.20, it is from here on I am having issues.

Thanks again all :)

[+BudMan MVC]

What to you mean opened it? You need to forward it as well, if your going to run in a double nat setup. It going to be easier to just put the ip address of pfsense wan into DMZ, or exposed HOST of your adsl router - now ALL unsolicited traffic will be sent to pfsense wan IP.

But if not that port tcp from what quick google says for soulseeker needs to be forwarded to the pfsense wan IP on that port. Double check your settings, did the IP of pfsense wan change? Post up your settings and we can take a look.

Do you have anyway to put that adsl router into bridge mode so that pfsense gets public IP!

Then just forward whatever ports you want to whatever IPs behind pfsense you want to see the traffic.

So I would for a test, sniff on your pfsense wan interface - do you test, do you see the packets?? If not then pfsense is never seeing anything to be able to forward. If you see the traffic then you have something wrong in pfsense forwards. Under diag menu the packet capture item.

[Captain_Rainbowbeard]

Thanks again for the response.

What to you mean opened it? You need to forward it as well

My apologies, yes, port is forwarded...

For the record I have now managed to successfully forward this port via the double NAT setup, it appears that I was missing quite a crucial stage in forwarding the port I required on my pfSense via a NAT forwarding rule as apposed to just a firewall rule, upon creation of the NAT rule a firewall rule was automatically created to accommodate and now the port forwarding is working as needed.

This is beginning to make much more sense to me now. :D

It going to be easier to just put the ip address of pfsense wan into DMZ, or exposed HOST of your adsl router - now ALL unsolicited traffic will be sent to pfsense wan IP.

Hmm, please elaborate further, is this not a little bit of a security flaw?

Do you have anyway to put that adsl router into bridge mode so that pfsense gets public IP!

Sorry, no, my ADSL router is installed with default firmware from Virgin and has limited control over the routers capabilities.

So I would for a test, sniff on your pfsense wan interface - do you test, do you see the packets??

Upon sniffing on the WAN interface I appear to have captured an awful lot of packets from a variety of different global IPs to a widely varying range of ports! Is this ok?

Anyways, now that I have the port forwarding issue resolved I have one more question:

I have an SMB server running on the .1 subnet and would like to allow other machines on the .0 subnet to be able to access and use these resources, is there any special way to allow this level of communication across different subnets? A friend of mine told me that by default SMB is distributed across the broadcast address, is this correct? If so is it just a matter of creating an appropriate NAT/firewall rule or is there some particular method to allow hosts outside of .1 to 'see' hosts within it?

[+BudMan MVC]

Why do you have boxes on the 0 network? Are these wireless clients to your isp router?

Are boxes on the 0 network to be considered hostile? Why do you want to run boxes behind pfsense and then have your own boxes on its wan side?

No smb does not go over broadcast, but broadcast can be used as a way to resolve a netbios name box with a smb share.. You could allow SMB or CIFS or whatever other file sharing you want to allow be it ftp, webdav, scp, sftp, AFP, etc.

But if these wireless boxes are under your control and you want them to be able to broadast for names and access your other boxes on the .1 network.. I would change out your setup.

Before we talk about that - its a Firewall yes there will be lots of noise/traffic on the WAN side.. And if you have clients on wireless clients on the 0 network you would be seeing that traffic as well.

Forwarding all ports, ie dmz, exposed host on your isp router to your pfsense would just mean pfsense would working as designed and seeing all the internet noise and then firewalling it, etc.

But I would prob suggest you change your config a bit and remove clients off the 0 and everything should be on the .1 behind pfsense.

So I would turn off wireless on your isp router, then get a wireless router and put it behind your pfsense as AP.. Then since you can not put your isp gateway into bridge mode. Set pfsense wan as dmz or exposed host on it - nothing would need to be on the 0 network now other than pfsense.

All your wireless and wired boxes behind pfsense would have access to file shares, could broadcast for names, etc. Now you wouldn't have to worry about doing forwards on 2 devices, isp router and pfsense when you want to allow unsolicited traffic inbound to one of your boxes behind pfsense. And the double nat can almost become mute - until you run into something that doesn't like double nats - ftp can be a bit of a pain as one example.

[Captain_Rainbowbeard]

Yes, hosts on the .0 network are wireless clients using the ISP router, these machines do not belong to me, they belong to other housemates, 2 of which I would like to share my media with over the network. It would be totally feasible to add a wireless access point to my .1 network and allow these users to directly access these resources though it would cause problems disabling the wireless on .0 as other people in the building that I do not know would then be unable to access the internet, besides, I would prefer to have these users outside of .1 and safely on .0, my mum always told me not to let strangers into my private place...! :laugh:

I'm assuming that it will cause no issues allowing the others to stay wirelessly connected to .0 and allowing the 2 people I do want to access my resources a wireless connection to my .1 network?

[+BudMan MVC]

Sure you could add another wireless AP to your .1 network - and then the wireless on .0 would be guests and hostile.

But if your really wanted you could allow specific IPs into your .1 from .0 for file shares.. They could just use IP vs name because your going to have issues with resolving name for pfsense wan IP.. They could always setup lmhost or host file on their boxes. I doubt your isp router allows you to manipulate dns for your own records?

If you wanted you connect your wireless AP on your private side of pfsense to different interface on the pfsense box and then bridge the interfaces to your wired interface and have some firewall controls and still allow for broadcast resolution, etc..

Other than that if you want to allow from 0 network you would have to forward the ports your using smb/cifs can be done over 445 you could allow 139 as well and you should be good. This would be a port forward to your box hosting the share..

So for example your pfsense sense wan is 192.168.0.20, and your private box hosting the share is 192.168.1.110, create a port forward for 139 tcp and 445 tcp to 192.168.1.110, then from your box on the 0 access \\192.168.0.20\ and you should see the shares.. Keep in mind they would have to auth to the box hosting the shares unless your allow guest type access, etc.

You might want to lock down these rules to only allow access from specific IPs on the 0, say 192.168.0.42 or something.. Hard part might be knowing which IPs on the 0 to allow? I would assume you wouldn't want to allow ALL, and don't do such a thing if you forward all traffic into pfsense wan port from isp router without a source IP restriction. I would assume other boxes on the 0 use dhcp and could change IPs, etc.. This will be the hard part about setting secure rules to only allow the 0 IPs you want to allow.

It would be better to setup your own wireless on .1 and secure that via PSK to people you want to access stuff on your network, you let them use your wireless network. Then they would use pfsense as their internet gateway as well in this setup. Or you could block them from using internet when on your wireless and only be able to access your shares and services on your .1 vs internet access, etc.

[Captain_Rainbowbeard]

I've just been doing some testing further to the suggestions you made and have discovered that my pfSense box WAN interface is not visible in 'Network' from Windows clients on .0, I assumed that this should be visible? Could this be part of the reason why (or at least some explanation for), despite creating apparently correct forwarding rules, I am still unable to access my file sharing resources regarding that I am using IP vs hostname? I also tried created a hostname for my pfSense WAN interface for DHCP resolution on the .0 network and still no show...? I assume these are the issues you were referring to regarding name resolution for my WAN IP...?

I've also been having thoughts about creating a network mountable filing system of sorts instead of an SMB share as a possible workaround, I am assuming that this sort of service would prove to be somewhat less problematic than my current line of thought? What are your thoughts on this and could you possibly suggest any preferable protocols to use for this type of setup, bearing in mind the host for the present SMB share is running Server 2008 R2. (This will also eventually be my FTP/IIS7 etc. server...)

[Captain_Rainbowbeard]

Other than that if you want to allow from 0 network you would have to forward the ports your using smb/cifs can be done over 445 you could allow 139 as well and you should be good. This would be a port forward to your box hosting the share..

So for example your pfsense sense wan is 192.168.0.20, and your private box hosting the share is 192.168.1.110, create a port forward for 139 tcp and 445 tcp to 192.168.1.110, then from your box on the 0 access \\192.168.0.20\ and you should see the shares.. Keep in mind they would have to auth to the box hosting the shares unless your allow guest type access, etc.

Just for clarification, I hope I am correct in assuming that this forward requires to be set as a rule on pfSense and not on the ADSL router otherwise I can see where I am going wrong with this suggestion...

[+BudMan MVC]

Your not going to see pfsense wan in any browselist no.

If you forwarded 139 and 445 tcp to your 2k8r2 server and its sharing and allowing guest then you should be able to access via \\ipaddressofpfsensewan from 0 network. Use the run box and go directly there your never going to be able to use a browselist for this sort of access.

But no I would not think smb or cifs is a good protocol to use - I would use ftp or sftp, where sftp is much easier since its only 1 port. But 2k8r2 does not natively support ssh, so you would have to install that. So sure ftp would work.