if someone is using 1:1 NAT on his pfsense (or m0n0wall) as well, here some tips. Don’t judge the usage of NAT – I only do that if I have to or it’s the best in the situation e.g when I need to work around restrictions. I had to do that today as I was provisioning a VM on the internal Server farm, but needed to make it available outside of the Web-Firewalls due to another service running on it.
I was not clear out of the manual on the Webpage how I need to use it. I have two Subnets: one is private range (LAN) and one is a public range (DMZ)
I have a public IP on the WAN side which is the target IP for the route to the DMZ. Now I wanted to make a VM in the LAN visible in the DMZ, a VM, that I did not want to move over directly (I had no spare Server in the DMZ at the time, and needed to deploy fast)
Create a new IP Alias in pfsense, Interface the DMZ interface, type IP Alias. Then Create on Firewall>NAT>1:1 NAT the Rule, but this time choose the WAN interface. if you choose the DMZ interface here, all u get is traffic to the firewall and not forwarded further.
Then I allowed traffic to the DMZ IP Adress. This was unfortunately not suffcient, and normally with a portforward you would get a normal firewall rule that already works. In this case, you NEED to add a firewall allowing the desired traffic to the INTERNAL LAN IP of the HOST you are trying to make available.
if someone has wondered why there has been such a lack of blogging here – There will be some information that could be interesting soon again. I was kinda busy in the last few months with a new Project called “Geoflexcloud” – also online here which is basically the transformation of my knowhow into a real “Cloud” thingie – I know cloud is overused term but the aspect here is definitely on data protection in Switzerland and strictly isolated containers for customer that want a certain amount of security. Fortunately we have now a lof ot infrastructure ready in a rack and will be starting to peer with other ISPs in the next few weeks.
Newest fromt the surveillance front coming today from the famous Fefe Blog again: The austrians are now abusing their drivers licence pictures to automatically track their people via CCTV: Link
In the Meantime? We have now this just around my edge. And everyone called me paranoid just a few years ago? in the newer articles there is now talk about “further extensions” – well nice, we are beeing tracked, soon they will store the movement data as “Minimal Data Retention” as the germans like to call it.
15.01.2011 – 16.01.2011
Ort: Siat
Thema: Splunk – Loganalysewerkzeug
Zeit: Samstag 10 Uhr bis Sonntag 16 Uhr
Kostenfaktor: für zwei Tage ca 100 CHF
Anmeldung: via Website bald verfügbar.
