Follow us on...
Follow us on G+ Follow us on Twitter Follow us on Facebook Watch us on YouTube
Register
Results 1 to 3 of 3
  1. #1
    Status
    Offline
    ciupax's Avatar
    Newbie
    Join Date
    Nov 2007
    Posts
    59
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0

    mikrotik---> pfsense--PC , rulesssss?????????

    Click here to enlarge
    minta tolong para masssster,
    topologinya seperti diatas, gimana cara koneksi dari PC -----> pfsense, dan dari internet ke pfsense
    untuk remote dr internet ke mikrotik nya udah bisa tapi dari internet ke pfsense nya gak bisa,
    rules apa yang harus ditambahkan ke mikrotik dan pfsense nya
    PC dan PFsense terkoneksi ke port yang berbeda di mikrotiknya.


    saya sertakan config pfsense nya ,
    #System aliases

    loopback = "{ lo0 }"
    WAN = "{ re0 }"
    LAN = "{ rl0 }"

    #SSH Lockout Table
    table <sshlockout> persist
    table <webConfiguratorlockout> persist
    #Snort tables
    table <snort2c>

    table <virusprot>

    # User Aliases

    # Gateways
    GWWANGW = " route-to ( re0 192.168.100.1 ) "


    set loginterface rl0
    set optimization conservative
    set timeout { udp.first 300, udp.single 150, udp.multiple 900 }
    set limit states 389000
    set limit src-nodes 389000

    set skip on pfsync0

    scrub in on $WAN all fragment reassemble
    scrub in on $LAN all fragment reassemble

    altq on rl0 hfsc queue { qLink, qInternet }
    queue qLink on rl0 bandwidth 20% qlimit 500 hfsc ( ecn , default )
    queue qInternet on rl0 bandwidth 5120Kb hfsc ( ecn , linkshare 5120Kb , upperlimit 5120Kb ) { qACK, qP2P, qVoIP, qOthersHigh, qOthersLow }
    queue qACK on rl0 bandwidth 16% hfsc ( ecn , linkshare 16% )
    queue qP2P on rl0 bandwidth 4% hfsc ( ecn , linkshare 4% , upperlimit 4% )
    queue qVoIP on rl0 bandwidth 32Kb hfsc ( ecn , realtime 20% )
    queue qOthersHigh on rl0 bandwidth 8% hfsc ( ecn , linkshare 8% )
    queue qOthersLow on rl0 bandwidth 4% hfsc ( ecn , linkshare 4% )


    altq on re0 hfsc bandwidth 768Kb queue { qACK, qDefault, qP2P, qVoIP, qOthersHigh, qOthersLow }
    queue qACK on re0 bandwidth 19.186% hfsc ( ecn , linkshare 19.186% )
    queue qDefault on re0 bandwidth 9.593% hfsc ( ecn , default )
    queue qP2P on re0 bandwidth 4.7965% hfsc ( ecn , linkshare 4.7965% , upperlimit 4.7965% )
    queue qVoIP on re0 bandwidth 32Kb hfsc ( ecn , realtime 20% )
    queue qOthersHigh on re0 bandwidth 9.593% hfsc ( ecn , linkshare 9.593% )
    queue qOthersLow on re0 bandwidth 4.7965% hfsc ( ecn , linkshare 4.7965% )


    nat-anchor "natearly/*"
    nat-anchor "natrules/*"


    # Outbound NAT rules

    # Subnets to NAT
    tonatsubnets = "{ 172.15.90.0/24 127.0.0.0/8 }"
    nat on $WAN from $tonatsubnets port 500 to any port 500 -> 192.168.100.2/32 port 500
    nat on $WAN from $tonatsubnets to any -> 192.168.100.2/32 port 1024:65535


    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    table <direct_networks> { 192.168.100.0/24 172.15.90.0/24 }
    # IMSpector rdr anchor
    rdr-anchor "imspector"

    # Setup Squid proxy redirect
    no rdr on rl0 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
    rdr on rl0 proto tcp from any to !(rl0) port 80 -> 127.0.0.1 port 8080

    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"

    anchor "relayd/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log all label "Default deny rule"
    block out log all label "Default deny rule"

    # We use the mighty pf, we cannot be fooled.
    block quick proto { tcp, udp } from any port = 0 to any
    block quick proto { tcp, udp } from any to any port = 0

    # Block all IPv6
    block in quick inet6 all
    block out quick inet6 all

    # Snort package
    block quick from <snort2c> to any label "Block snort2c hosts"
    block quick from any to <snort2c> label "Block snort2c hosts"

    # SSH lockout
    block in log quick proto tcp from <sshlockout> to any port 222 label "sshlockout"

    # webConfigurator lockout
    block in log quick proto tcp from <webConfiguratorlockout> to any port 81 label "webConfiguratorlockout"
    block in quick from <virusprot> to any label "virusprot overload table"
    antispoof for re0
    antispoof for rl0
    # allow access to DHCP server on LAN
    pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN proto udp from any port = 68 to 172.15.90.1 port = 67 label "allow access to DHCP server"
    pass out on $LAN proto udp from 172.15.90.1 port = 67 to any port = 68 label "allow access to DHCP server"

    # loopback
    pass in on $loopback all label "pass loopback"
    pass out on $loopback all label "pass loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out all keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( re0 192.168.100.1 ) from 192.168.100.2 to !192.168.100.0/24 keep state allow-opts label "let out anything from firewall host itself"
    # make sure the user cannot lock himself out of the webConfigurator or SSH
    pass in quick on rl0 proto tcp from any to (rl0) port { 81 443 222 } keep state label "anti-lockout rule"

    # User-defined rules follow

    anchor "userrules/*"
    pass quick on { re0 } proto tcp from any to any port 81 flags S/SA keep state label "USER_RULE"
    match on { re0 } proto udp from any to any queue (qVoIP) label "USER_RULE: DiffServ/Lowdelay/Upload"
    pass in quick on $WAN reply-to ( re0 192.168.100.1 ) from any to any keep state label "USER_RULE"
    pass in quick on $WAN reply-to ( re0 192.168.100.1 ) proto tcp from any to 172.15.90.1 port 81 flags S/SA keep state label "USER_RULE"
    pass in quick on $WAN reply-to ( re0 192.168.100.1 ) proto tcp from any to 192.168.100.2 port 81 flags S/SA keep state label "USER_RULE"
    pass in quick on $WAN reply-to ( re0 192.168.100.1 ) inet proto icmp from any to 192.168.100.2 keep state label "USER_RULE"
    pass in quick on $WAN reply-to ( re0 192.168.100.1 ) proto tcp from any to any port 443 flags S/SA keep state label "USER_RULE"
    pass in quick on $WAN reply-to ( re0 192.168.100.1 ) proto tcp from any to any port 80 flags S/SA keep state label "USER_RULE"
    pass in quick on $WAN reply-to ( re0 192.168.100.1 ) proto tcp from 192.168.100.0/24 to any flags S/SA keep state label "USER_RULE"
    pass in quick on $LAN from 172.15.90.0/24 to any keep state label "USER_RULE: Default allow LAN to any rule"
    # WANLAN pptp array key does not exist for label "USER_RULE"

    # VPN Rules
    anchor "tftp-proxy/*"

    # Setup squid pass rules for proxy
    pass in quick on rl0 proto tcp from any to !(rl0) port 80 flags S/SA keep state
    pass in quick on rl0 proto tcp from any to !(rl0) port 8080 flags S/SA keep state
    Thanks.
    Last edited by ciupax; 02-12-2011 at 01:19.

  2. #2
    Status
    Offline
    oktama's Avatar
    Forum Guru
    Join Date
    Jul 2008
    Location
    Jayapura
    Posts
    1,929
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    tambahkan dst-nat pada mikrotik, juga pada loadbalancer yg berada depan mikrotik

  3. #3
    Status
    Offline
    p4w1r0's Avatar
    Member
    Join Date
    Jul 2007
    Location
    dimana_mana_hatiku_senang
    Posts
    252
    Reviews
    Read 0 Reviews
    Downloads
    0
    Uploads
    0
    Feedback Score
    0
    yup, d NAT lakukan forwarding k pfsense gunakan alamat port-nya

 

 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ask> bagusan mana balancer pfsense vs mikrotik?
    By Devilion in forum General Networking
    Replies: 6
    Last Post: 07-06-2010, 23:44
  2. Pfsense + Mikrotik
    By zhirachy in forum General Networking
    Replies: 7
    Last Post: 01-04-2010, 00:17

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •