# case study (help)



## abdelilah (Jun 12, 2013)

Hi everyone,

I really need your help, by this post I'm not trying to get the job done by someone else but instead I want directions since I'm completely lost in this network terminology :r :

I don't have any VLANs and I'm not planning using them.
I have a pfSense firewall with two interfaces LAN (192.168.1.150/22)/WAN (192.168.0.150/22) connected directly to the switch.
Multiple routers but in this case I'm experimenting in the 192.168.1.2 in order not to blow the production network, connected also directly to the switch.
A FreeBSD Squid proxy 192.168.1.72 to manage traffic connected to the switch.
Client with 192.168.0.X addresses.
Servers and routers have a 192.168.1.X addresses.
My purpose is to make my proxy 192.168.1.72 mandatory to go the Internet (which I guess requires redirecting) because some guys are trying to bypass my proxy by simply changing IE setting.

My second goal is to be able to manage all the traffic through my pfSense knowing that I have four routers and only two interfaces in my firewall.

Finally a colleague of mine told that this was feasible with only two interfaces on the firewall by setting up a DMZ. I donâ€™t know how though.

Thank you in advance.


----------



## SirDice (Jun 12, 2013)

The networks 192.168.1.150/22 and 192.168.0.150/22 overlap and are in the same network segment. Are you sure they shouldn't be a /24 instead?


```
$ ipcalc 192.168.0.150/22
Address:   192.168.0.150        11000000.10101000.000000 00.10010110
Netmask:   255.255.252.0 = 22   11111111.11111111.111111 00.00000000
Wildcard:  0.0.3.255            00000000.00000000.000000 11.11111111
=>
Network:   192.168.0.0/22       11000000.10101000.000000 00.00000000
[b]HostMin:   192.168.0.1          11000000.10101000.000000 00.00000001
HostMax:   192.168.3.254        11000000.10101000.000000 11.11111110[/b]
Broadcast: 192.168.3.255        11000000.10101000.000000 11.11111111
Hosts/Net: 1022                  Class C, Private Internet
```


----------



## abdelilah (Jun 12, 2013)

Hello sirDice and thank you for you answer, Yes I confirm they are in /22, but since I'm not a network expert I can't confirm whether they should be in a /22 or /24 subnet (that's why I'm posting  )


----------



## kpa (Jun 12, 2013)

Did you really say that both the LAN and WAN interfaces are connected to the same switch and are using the same ethernet segment? That is not going to work unless you also employ some technique to separate the two segments on the switch somehow, VLANs for example.

Change the subnets to /24 and they won't overlap anymore.


----------



## abdelilah (Jun 12, 2013)

Ok:
LAN: 192.168.1.150/24
WAN: 192.168.0.150/24


----------



## kpa (Jun 12, 2013)

No, change both to /24. Try both addresses in this calculator and you'll see that the subnets are still overlapping:

http://www.subnet-calculator.com/cidr.php


----------



## abdelilah (Jun 12, 2013)

Okay I've changed the subnet Kpa, thanks, what now please


----------



## SirDice (Jun 12, 2013)

Clients are on the LAN side and should have an 192.168.1.0/24 address. You should be able to ping(8) the LAN side of the firewall (192.168.1.150). Same for the servers (especially the proxy server on 192.168.1.72), clients should be able to ping them.


----------



## abdelilah (Jun 12, 2013)

I will run out of IP addresses if I switch back the clients to a /24 configuration, however I can ping the clients which are on the /22 from the firewall which is on the /24 configuration and vice versa, I've done the test many times and it works.


----------



## SirDice (Jun 12, 2013)

I'd really suggest getting help from somebody that has a good understanding of networking. As things are moving now you are very likely to completely hose the network with everything on it.

It's not to put you down but you seem to lack even the most basic networking skills. And not doing it properly could mean you'll end up in a world of hurt.


----------



## abdelilah (Jun 12, 2013)

Here is the test :

```
root@BSDproxy:/root # ping 192.168.1.150
PING 192.168.1.150 (192.168.1.150): 56 data bytes
64 bytes from 192.168.1.150: icmp_seq=0 ttl=64 time=0.315 ms
64 bytes from 192.168.1.150: icmp_seq=1 ttl=64 time=0.212 ms
64 bytes from 192.168.1.150: icmp_seq=2 ttl=64 time=0.206 ms
^C
--- 192.168.1.150 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.206/0.244/0.315/0.050 ms
```

And here is my config (proxy side):


```
root@BSDproxy:/root # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether 00:1f:29:d8:7e:30
        inet 192.168.1.72 netmask 0xfffffc00 broadcast 192.168.3.255
        inet6 fe80::21f:29ff:fed8:7e30%em0 prefixlen 64 scopeid 0x1
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
plip0: flags=8810<POINTOPOINT,SIMPLEX,MULTICAST> metric 0 mtu 1500
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0xa
        inet 127.0.0.1 netmask 0xff000000
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```

And here is the firewall:


```
[2.0.3-RELEASE][root@firewall.mynetwork.local]/root(1): ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,VLAN_HWTSO>
        ether e8:39:35:4f:41:5e
        inet6 fe80::ea39:35ff:fe4f:415e%em0 prefixlen 64 scopeid 0x1
        inet 192.168.0.150 netmask 0xffffff00 broadcast 192.168.0.255
        nd6 options=43<PERFORMNUD,ACCEPT_RTADV>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=389b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC>
        ether 00:1e:2a:c0:47:84
        inet6 fe80::21e:2aff:fec0:4784%re0 prefixlen 64 scopeid 0x2
        inet 192.168.1.150 netmask 0xffffff00 broadcast 192.168.1.255
        nd6 options=43<PERFORMNUD,ACCEPT_RTADV>
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128 syncok: 1
enc0: flags=41<UP,RUNNING> metric 0 mtu 1536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=3<RXCSUM,TXCSUM>
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        nd6 options=43<PERFORMNUD,ACCEPT_RTADV>
pflog0: flags=100<PROMISC> metric 0 mtu 33664
```


----------



## abdelilah (Jun 12, 2013)

Thank you sirDice for the advice but I do think that if someone made it I can do it also but all I need are hints and directions, it can take the time it needs but I'm ready to learn and to trial while taking precautions (I'm using a secondary router  as I mentioned  )


----------



## kpa (Jun 12, 2013)

You got the basics working. Now it's time to think about separation of the networks. If you're still connecting both interfaces to the same switch stop and get another switch for the WAN side if necessary, depending on the equipment you can just plug the WAN cable to the upstream device, router/modem whatever it is.


----------



## abdelilah (Jun 12, 2013)

Thank you kpa, I've mounted a new switch (Cisco SFE2000 / Level 3) where I connected the WAN interface of the router, here is the new setup:

LAN -> Switch 1
WAN -> Switch 2
The two switches are interconnected via WAN cable.

Should I also plug all the routers on the new switch? Thanks in advance.


----------



## kpa (Jun 12, 2013)

No, separate the two networks completely. Don't interconnect the switches directly with a cable. I understand that you can get a "DMZ" by leaving them connected like that but it's a seriously insecure setup and to be avoided if possible.


----------



## abdelilah (Jun 12, 2013)

Ok, I've disconnected the two switches. Should I keep the routers on switch one? Or should I plug them on switch 2?

Thanks a lot for your help you're really healing my ego


----------



## kpa (Jun 12, 2013)

By routers you mean the routers that connect to the Internet? If so connect them to the WAN switch.


----------



## abdelilah (Jun 12, 2013)

I'll do it tonight because we are using them at moment, and then what should I do next?


----------



## kpa (Jun 12, 2013)

Read on the concepts of NAT (Network Address Translation) and packet filtering and various ways of implementing them in a firewall/router that runs FreeBSD:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html


----------



## SirDice (Jun 12, 2013)

A picture says more than a thousand words. And I needed some exercise with graphics/dia anyway. 

Concept of a DMZ:







The _DeMilitarized Zone_ or DMZ is like the bit of "no man's land" between two borders or, in this case, two firewalls. It's neither friendly (LAN) nor hostile (Internet). 

Most people however do not have the budget for two firewalls so they use one firewall with multiple interfaces to archive the same effect:






Your situation is probably more like this (without a DMZ):






What you want to do is still possible. Simply block all traffic on the firewall from the LAN to the Internet. And only allow traffic to the Internet from the proxy server. That basically forces everybody to use your proxy server. If they change the proxy settings on the client they cannot connect to anything. It may not be "stealthy" but it sure is effective :e


----------



## abdelilah (Jun 13, 2013)

Thanks to both of you, I've done some testing yesterday, by plugging the router in the WAN switch 2 but I didn't succeed and made the Internet completely unreachable from the LAN side. Then I rolled back, to be honest I didn't complete the reading of NAT/Firewall I'll try to do it ASAP, by the way what the default firewall used by pfSense?

Thank you in advance.


----------



## SirDice (Jun 13, 2013)

abdelilah said:
			
		

> by the way what the default firewall used by pfSense?


As the name of the product implies: PF.


----------



## abdelilah (Jun 21, 2013)

Hi everyone, thank you for your help, I've done it by forwarding all WAN traffic to my proxy which makes it mandatory using the physical separation shown above, now I have to migrate all the network services gradually, a lot of work I presume, again many thanks for your help it proves me again that -nearly- no one is genius you just need the will and patience to get the job done .


----------

