Jump to content
Not connected, Your IP: 18.216.161.178
anon1701

New Firewall Solution Required

Recommended Posts

All, currently I use two firewalls - they are in parallel. One is for encrypted traffic only and the other is for normal traffic. I control this at the default gateway level for individual network hosts and some proxying. This is starting to cause me an issue so I am wondering of there is a firewall I can use that will do everything I want, as follows:

1. Gb speeds. I should be getting 900/900 internet access soon as opposed to my 350/50 that I have currently
2. VPN Server for RoadWarrior style access. Preferably OpenVPN (or similar) and not PPTP
3. VPN Client for AirVPN
4. The ability to select which LAN hosts use encrypted and which use unencrypted and if the VPN Client fails then any encrypted hosts get shut off. (aka kill switch, but for individual encrypted hosts only). Currently I do this in pfsense by blocking all traffic not going down the tunnel. Note that if I am road warrior'd in I still want to access encrypted hosts
5. Force access to certain internet hosts to use encrypted channels only (by destination address)
6. Force all DNS enquiries to use encrypted channels
7. Multiple VPN channels to AirVPN - or indeed multiple providers
8. Run as virtual appliances with the option of running on suitable hardware (if I have any)
9. Normal port forwarding - although I use very little of this preferring to use a VPN when I can

At the moment GW1 (Encrypted) is pfsense whilst GW2 is Sophos UTM - I much prefer the Sophos Interface (I find pfsense non-intuitive) but I understand that getting it (Sophos) to work as a client to AirVPN is non-trivial.

Any ideas about where to start?

 

Share this post


Link to post

I'm pretty sure that either pfsense or sophos could do this unless your systems are under powered.
Have you thought about using vlans.
I use pfsense and have vlan dedicated for vpn and all devices going thru the vpn do not leak.
my RW also uses the vpn to get to the intenet but all so access devices on all vlans.

Share this post


Link to post
Posted ... (edited)

I have thought of using VLANs. Unfortunately not gonna work. A number of the hosts that I want to use the encrypted channels are sitting in containers on a TrueNAS Scale NAS. They use the default gateway of the Scale box, meaning they all have to be on the same VLAN. It is truly a nusiance and (in my opinion) not a sensible design. It might change in the future - but not for a while, there are other more important issues with Scale.

I could of course run up my own docker host - and may do that - but I ought to at least consider a single GW. CPU is not an issue - both firewalls are virtualised - I have lots of CPU. Having said that if I stick with pfsense I MIGHT put it on hardware eventually.

RW?

Also I thought getting Sophos to talk VPN Client had been determined to be non trivial

Edited ... by Aardvark56

Share this post


Link to post

Add a nic to truenas and make vlans using pfsense. ( I assume that you have a managed switch that can do vlans, if not adding another nic is required for pfsense)
I also have a dhcp server running for the vpn vlan.
In truenas tell it to use the second nic and assigned an ip in the vpn vlan subnet or let it get one via dhcp.
Use portainer to manage your docker containers make it easy.
Assuming you add the nic, docker will see it as br0 or br1  or whatever.
using portainer go to the docker that needs the vpn vlan and in the network section add the interface that is on the vpn vlan.

I use unraid with a quad port nic and one of those ports is in the vpn vlan and I've assigned containers to use only that network interface and they work just fine. all internet goes out the vpn.

Share this post


Link to post

I do have managed switches - so VLAN's not an issue
I haven't been using portainer. Been testing with the Truecharts tools. (This is all testing - to see whats possible and what isn't). I have found that adding a second NIC to TrueNAS Scale does not make the containers avaiable on that NIC, which is irritating




 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...