HELP! Firewall testbed driving me nuts!
18 views
Skip to first unread message
Howard White
Jun 25, 2019, 12:37:50 PM6/25/19
to nlug...@googlegroups.com
Not that it was a very long putt, you understand...
Trying to create a testbed to which I may connect multiple pfsense
instances (all but one on bare metal, one vm guest - all give the same
result). Have a separate network to which each of the WAN interfaces of
the collective firewalls connect. Network has working DHCP and I have a
separate desktop also connected to this network. Network is not
connected upstream - isolated.
Each of the pfsense instances show a WAN address of the testbed network,
unique to each. The testbed is to be able to test external to WAN ssh
and OpenVPN. I have connected a known to work pfsense bare metal
instance to the testbed and I still am unable to ssh from the
independent desktop to the WAN. ssh sits until timeout. I am able to
ssh to the LAN of each instance (some of the stankiest switches and hubs
you've seen but they work!)
There are ten steps to getting a pizza, in my case 6153827272. What
step(s) am I missing????
Howard
Trying to create a testbed to which I may connect multiple pfsense
instances (all but one on bare metal, one vm guest - all give the same
result). Have a separate network to which each of the WAN interfaces of
the collective firewalls connect. Network has working DHCP and I have a
separate desktop also connected to this network. Network is not
connected upstream - isolated.
Each of the pfsense instances show a WAN address of the testbed network,
unique to each. The testbed is to be able to test external to WAN ssh
and OpenVPN. I have connected a known to work pfsense bare metal
instance to the testbed and I still am unable to ssh from the
independent desktop to the WAN. ssh sits until timeout. I am able to
ssh to the LAN of each instance (some of the stankiest switches and hubs
you've seen but they work!)
There are ten steps to getting a pizza, in my case 6153827272. What
step(s) am I missing????
Howard
Steve
Jun 25, 2019, 10:54:04 PM6/25/19
to NLUG
Hey Howard, can you take a screenshot of your ruleset?
Chris McQuistion
Jun 25, 2019, 11:11:11 PM6/25/19
to nlug...@googlegroups.com
Doh you have a firewall rule that allows SSH to the WAN interface, itself?
Sent from my iPhone
> --
> --
> You received this message because you are subscribed to the Google Groups "NLUG" group.
> To post to this group, send email to nlug...@googlegroups.com
> To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
>
> --- You received this message because you are subscribed to the Google Groups "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to nlug-talk+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/7279ce89-2c46-84dd-1ae8-8f29a473be53%40vcch.com.
> For more options, visit https://groups.google.com/d/optout.
Sent from my iPhone
> --
> You received this message because you are subscribed to the Google Groups "NLUG" group.
> To post to this group, send email to nlug...@googlegroups.com
> To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
>
> --- You received this message because you are subscribed to the Google Groups "NLUG" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to nlug-talk+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/nlug-talk/7279ce89-2c46-84dd-1ae8-8f29a473be53%40vcch.com.
> For more options, visit https://groups.google.com/d/optout.
Nate Vaughn
Jun 26, 2019, 11:37:31 AM6/26/19
to nlug...@googlegroups.com
Howard,
Are you attempting to connect via host name or IP. To me it sounds like a resolution problem.
Howard White
Jun 26, 2019, 11:59:41 AM6/26/19
to nlug...@googlegroups.com
Steve and NLUG:
Have now ruled out stanky hub as problem. Further searches seem to
suggest that the testbed I have built is, in essence, an asymmetric
network configuration that "ain't gonna work."
From each of the daughter firewalls (and computers behind said
firewall), I can ssh nicely to the "internet" firewall. I cannot ssh to
any of the daughter firewalls from any thing. Same ssh configs,
stripped down to the simplest level.
How may I create a "dummy internet" upon which I may test a group of
firewalls?
Going to try to remove the top firewall from the mix, set the IP
addresses of each of the now daughter firewalls to static IP addresses
(okay, I was lazy and tried to use DHCP at the "internet" because that
is exactly the field configuration) and see if there is any more progress.
Howard
On 6/25/19 10:18 PM, Howard White wrote:
> Primary culprit found. One of the stanky hubs was dorking the WAN
> network. Updates tomorrow.
>
> Howard
Have now ruled out stanky hub as problem. Further searches seem to
suggest that the testbed I have built is, in essence, an asymmetric
network configuration that "ain't gonna work."
From each of the daughter firewalls (and computers behind said
firewall), I can ssh nicely to the "internet" firewall. I cannot ssh to
any of the daughter firewalls from any thing. Same ssh configs,
stripped down to the simplest level.
How may I create a "dummy internet" upon which I may test a group of
firewalls?
Going to try to remove the top firewall from the mix, set the IP
addresses of each of the now daughter firewalls to static IP addresses
(okay, I was lazy and tried to use DHCP at the "internet" because that
is exactly the field configuration) and see if there is any more progress.
Howard
On 6/25/19 10:18 PM, Howard White wrote:
> Primary culprit found. One of the stanky hubs was dorking the WAN
> network. Updates tomorrow.
>
> Howard
Reply all
Reply to author
Forward
0 new messages