Pfsense on Xenserver between modem and WIFI router

0

Im trying to set up pfsense at home. I have spent several hours setting this up but it is going nowhere . here is what I want to achieve: I have pfsense vm running.

Internet --> cable modem --> xenserver running pfsense vm--> wifi router(AP) for other devices. PFsense should have DHCP enabled for all the public facing websites/server vms.

WIFI router should have DHCP enabled. I dont mind if wifi router is not behind pfsense unless that could be achieved too

I tried to bridge WAN with OPT1. I dont think it is working as needed.

Im new to advanced networking and pfsense. I would really appreciate if someone could give me some direction. More descriptive would be better.

Here are my interface names and the configs/associations:

WAN is where my modem is connected where I have dynamic IP

WAN -> xn0 LAN -> xn1 OPT1 -> xn2 OPT2 -> xn3

Please let me know how to proceed!

Jauyzed

Posted 2017-03-03T08:48:10.517

Reputation: 105

Disable DHCP on WiFi access point and put it behind pfSense on LAN interface, since pfSence doing it better. Use OPT1 interface for your vms. This way you would have 2 separate LANs. If you want LAN's devices to access vms, add firewall rules that enable traffic from LAN to OPT1. It will secure you LAN in case some vms get compromised but allow access from WAN and LAN to vms in the same time – Alex – 2017-03-03T09:16:35.997

@Alex Thanks for reply. I have added more information about the interfaces and associations. Please let me know which interfaces need DHCP, what needs to be bridged. – Jauyzed – 2017-03-04T05:01:02.253

Answers

0

I don't know why do you want a bridge mode. If you have single public IP then I suggest you to use schema below.

i

On pfSense set NAT rules (that also automatically will create firewall rules) to forward publicly accessible ports to OPT1 network where you public services work in VM. I'm not sure why do you want DHCP on OPT1, but it is OK to have it as far as you use static DHCP that would glue MAC addresses of VMs to particular IP. This way NAT will always forward incoming connections to particular VM.

In firewall rules enable passing all protocols from LAN to OPT1. This way internal LAN network would be able to access VM services but it will be protected from internet and OPT1 (so in case if some VM hacked, it will not be able to access LAN)

In pfSense DNS forwarder override public DNS records for FQDN of VMs, so when there would be connection from LAN to OPT1 it would point to VM located in OPT1 network.

For example, you have public A DNS record for web site that resolved to you public IP address as my.www.example.com->1.2.3.4
In DNS forwarder override public IP by setting my.www.example.com->10.1.10.50
This way if connection to VM comming from internet it will be passed over NAT to VM in OPT1 network, but if connection coming from LAN, pfSense's DNS forwarder will point to VM in OPT1 using private IPs.

As about WiFi, - use it as access point (AP). Leave WAN port disconnected, and set WiFi's LAN ip such way it will be in pfSense LAN range and disable DHCP on it. This way computers connected to WiFi LAN's port(it will work as regular switch) and WiFi clients will obtain IP from pfSense's DHCP.

Alex

Posted 2017-03-03T08:48:10.517

Reputation: 5 606

After giving it a thought, I dont think I will enable DHCP on(OPT1 interface) for public facing server vm's. You are right!

I have another silly question - Would I still be able to access Xenserver thro xencenter from one of the laptops connected on WiFi AP, if so how?

My dell server has 4 NICS. One NIC is connected to modem and would the next one be connected to WiFi router's LAN port where Pfsense has DHCP enabled?

Since the NIC connected to modem is Dynamic IP, I have set XenServer to dynamic IP with DHCP enabled. Is that about the right configuration with your suggestions? – Jauyzed – 2017-03-05T02:05:04.280

I got this setup working, except for few glitches. The LAN interface is completely working on 10.1.1.0 subnet with wireless AP but I cant get on to xenserver interface with xencenter VNC. Xenserver has ip as 10.1.1.11, I have a windows machine connected on LAN interface with xencenter. – Jauyzed – 2017-03-07T23:34:36.033

@Jauyzed VNC connectors within Dom0 listening on ports 590x where 5900 Dom0 itself, 5901 -first VM and so on, but the problem is that XEN bind it to 127.0.0.1, so it will not allow to connect to it from VM. Check this link for more information regarding this and solution how to resolve it

– Alex – 2017-03-08T00:22:30.453

Firewall setting did the trick for me to access VM's thro VNC. I created a openVPN server with tunnel address 10.8.0.0/24. I can connect to VPN server from outside but i cant see any machines. Is this something to do with firewall again or subnets? – Jauyzed – 2017-03-09T02:29:37.297

Asked: 2017-03-03T08:48:10.517

Viewed: 1 029 times

Active: 2017-03-04T23:02:56.117