15 Setup pfSense Configure NAT Basics

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to it pro TV I'm your Hostess live from San Francisco California you're watching it pro TV hello thank you for watching it pro TV helping you level up with I.T learning everywhere you go I'm your host Jack Memphis for this episode of pfSense 2.4.4 open source firewall set up pfSense configure not Basics the title of this episode more to learn and it's going to be a lot of fun and Ronnie Wong is here to help us out Ronnie good to see you well Zach thank you again for being here with us as well and good to see you as we continue on to learn more about pfSense and how things are actually set up for us and so we are now moving to this point where we need to talk about well Nat Network address translation and this is an important part of the technology that we need to at least understand how it works the great thing though is by default it is already working for you when you first turn on pfSense and you don't have to worry about configuring it if you want to leave it at its default settings okay uh to actually be able to do what we want to do okay so as we get started I want to bring us back because it's been a while since I've shown showing you the diagram of actually I don't know if I've ever shown you a diagram before in this series here about what it is that we've set up so far and where we're actually going okay let me show you if I can here okay and we'll kind of take a look this way Yep this is the first all right so for us here is essentially our configuration right now okay on the inside I've got a Windows 10 machine and uh the actual firewall interface is this 192.168 40.254 yes sir and then on the outside I don't think I have this one actually configured in this exact uh configuration anymore I've used this particular diagram because it's kind of my standard diagram to show Nat is what we've done here but so let's say on the outside there's an actual public IP address out here that goes out to our ISP so the right hand side represents our Wan connection the left hand side over here represents our Lan connection as well okay the key here for us in understanding and Nat okay at least for the way that we traditionally use uh fire or not rules here is really the idea that you're taking private IP addresses that are not valid on the internet and you're translating them into well something that is valid on the internet which are these addresses that are not in those private IP address ranges the RFC 1918 addresses so that is what you're actually doing okay so if we can understand that particular configuration then we know something that where we tend to set up Nat traditionally okay has been between in that environment so I can set up that on my firewall like I'm showing you right here or for those of you that might have a more advanced configuration and you do have those or you might even have a router sitting out here and that router may actually be doing the same thing which is running Nat there but since we're focusing in on PSNS well actually of course won't use pfSense and show you how you can configure a Nat on PS sense as well okay so Ronnie what are the different options we need to know about before we start going towards that yeah as we start to take a look at it right there's a couple of different things where we really need to pay attention to and that is because it plays along with firewall rules as well so I called them Nat rules okay so when you configure the ID of net you're actually having to make sure that it happens okay uh and you have to actually think about where it has to happen Okay and the processing order is important so we want to make sure that we understand first the idea of the processing order as well as the different types of Nat that are available to us so we'll just go through a little bit of a primer of nat will not go into the configuration details because I know how to do it on Cisco as far as hand typing it but uh for us here it's just the concepts that matter and just make sure that you actually understand why you would choose to use when you choose to use the step okay so let's go ahead and take a look at probably the the ones that most of us might be familiar with okay inside of our Nat configuration in pfSense you have the ability to do what we call port forwarding okay now when we talk about the idea of port forwarding here and this one's a little bit uh off here let me make sure that she goes here instead okay when we start doing this now when we start to do the idea of port forwarding what we are allowing it to do is we're saying that when this uh a person or this particular computer on the outside of the ISP and others off the internet we might want them connecting into a web server but the web servers internal in My Lan inside I don't want them really going directly into my firewall and then being able to get access to the file server or the email server or to the client I want them really only being able to get access to that web server specifically just a web page if I want that to be okay so if I wanted something like that I could configure what we call port forwarding okay so port forwarding allows me to only really open up that one particular protocol on that one particular Port so that even if they're getting connected inside they're not allowed to actually do anything else they're only going to connect to that particular Port now whatever you allow port forwarding into so here's a a best practice caveat I'm throwing here that has nothing to do with with the PF sense here but if I'm doing this to a web server I need to make sure that the web server is sufficiently hardened as well okay and I need to make sure that all of my other devices are also running you know all the security that I need to because I know that that means other traffic is actually coming in from the outside getting in here okay so when the way that we actually connect this with port forwarding is that what we do on the outside is that we tell we're going to let it actually browse to a public IP address and when it hits it on that firewall and using that particular port number so let's say it's Port 443 so we're using https to this internal number to to this number here then the firewall itself will automatically forward that to this internal IP address here on that one port okay so that's something that we can do and that we actually need to understand as well okay so when you start to do something like this okay it is incumbent that we understand that that's one of the things that we can get set up all right so let's talk about how we accomplish this in pf sense okay so if we go back to my diagram before okay what I've now got is I have a Ubuntu Server that's sitting out here that's going to be kind of my client that's on the outside and then internally I have a web server sitting here too okay all right so let's take a look at how that works okay so here is the Ubuntu server that I was talking about okay so I want to be able to get access into well that particular web server on the inside of my network if I can type in my password correctly sometimes I can't is what I'm known for which is the inability to type in actual words for one reason or another okay now in a moment here if my screen ever comes up now there it goes okay so it took a moment okay fine uh yep you are right it is the bionic Beaver so we'll just bring up our our uh browser here and I want to be able to get access into that particular internal server now for me I told you that what I need is going to be on the outside interface of my firewall and that interface let me see if I can scroll over so that we can see it it's going to be this IP address right here this Wan interface 10.0.11.119 okay so that doesn't get me to my server which is 192.168.40.101 that only gets me to the outside interface of my firewall okay so let's see what happens when I do that so if I do https let me zoom in so that you can see me typing here okay there it is there's another one and now I've connected into it and now we're going to see it's going to fail okay as what should be happening and the reason why is that there isn't a web server on the external Wan connection on my firewall okay so that's the issue that we have now with that going on and it's going to time out here in a moment at least I think it is it's not connecting it so we'll just close that out save a little bit of hassle now I want to be able to allow that in so I need to go back to my firewall then and when I do this up at the top we're going back to our firewall Set uh item here select Nat and this is where you do see they treat port forwarding as you know part of that okay there are no rules that are actually set up here currently no rules just right no rules okay so this is where we can add in a rule so I'm going to select the ad and I'm going to tell it to add it on top of everything because it's my first rule from this point I can disable it but I don't have to now for Nat to be able to work the way that I'm talking about you have to have this Nat redirection enabled okay so if you actually disable redirection for traffic matching this rule it tells you this option is rarely need in other words to disable it it's really needed don't use it without knowledge of the implications so it's kind of a weird warning right they're saying we really don't want you to use it but we're going to give you the option to use it that's fine but you do understand that what they're actually talking about here okay notice https is going to be a TCP protocol requires that three-way handshake then it gives us a destination now I can actually link it from a very Source address if I want to but I can also leave it as any address because if I'm hooking up to a web server it may be from any place so I can show you the advanced here and leave it as any which is everything do you see where it says Source any from any Source the recommendation here is don't actually put in a port number for The Source port numbers because that can be very restrictive especially if you're trying to do something like I am I'm just going to hide that option because I really don't need to set it then the destination this is the one you do need to set okay now I want it on that Wan address that 10.0.11.119 so I have that Wan address this time though I need this port range and what I'm looking for is going to be the two Port which is simply https so that's going to be on Port 443 normally you don't have to worry about this one when you don't set this one it automatically sets it to both of these is what it does okay so uh notice it says that the two field May remain empty if you're only mapping a single port so you can actually do that as well okay all right so the IP address is 192.168.40.101 and redirect to another Port here so normally it says hey this is uh identical to the front Port which is fine so if we wanted to let's just select them both then we'll make sure that we do that so we'll do the two on the from and that will make sure that we covered all just in case I've done something wrong so this one is going to be allows access to the internal web server all right now there's a couple of other options I generally leave this option alone as far as using the system default because they're saying yes we're allowing that Reef Nat reflection which is a good thing and if there's any other rule that I want to associate here uh let me select pass okay it says the pass does not work properly in multi-wan it will only work on an interface containing the default gateway so we'll see right here of everything here sets up so I wanted to actually be working with a pass rule is what I'm saying I'm going to click save because that's actually important make sure I hit it again just in case all right so now it says hey wait a minute you uh the valid redirection Port I did not select here so let me make sure I select that so the great thing is on psense it tells you when you don't do something right try it again and now I want to take a look at the rule that's actually created see if I can make that go a little bit higher so that we can see it I'm just trying to look at the rule I'm not so worried about the description here okay so when interface protocol using TCP from any Source going to the WAN address on Port 443 it should net it to 192.168.40.1 on Port 443 okay so that is what I'm hoping to actually be able to do all right so let's take a look now if this actually works for us as well and make sure it actually has a check mark here that actually is saying it is enabled at this point too we save and apply this to right we did save and apply that uh and you actually do see where it says changes have been applied successfully and that's what you're looking for okay if you don't see that then yes it may not work let's go back in to our outside machine again and this time we'll try it in a couple of different ways so if I just do HTTP colon colon 1920 10.0.11.119 will I get a connection well I shouldn't okay and the reason why is I only used HTTP I was very specific that I wanted that protocol which was https so it looks like it's going to time out because it's not actually connecting yet so now if I do https and not 0.11 and I'm crossing my fingers now I always think that I know that it's going to happen I always get a little bit more so Ronnie what do we need to do to make this work well yeah sometimes there's actually a couple of different things right that rules like I said are kind of notorious uh at the very fact that sometimes you can't get them set up exactly what you want to so if you're doing this for the first time it may be like me what's showing you like I am doing it for the first time but I did this rule before let me show you what the result is so here it just took a little bit of time to be able to see but now notice it says it's timed out right so it's actually saying hey you can try again you can try again it's probably going to work the same way what we want to do is want to go back and examine since I was working through it on the fly now I've mentioned this during creation of our firewall rules sometimes you want to make sure you write out what you think is supposed to happen instead of working on the Fly and so what we're going to do is we're going to examine this rule again and I'm going to take a look at the edit and see what might have happened okay so one of the things that could cause it to go wrong is I accidentally disabled it when I left when I actually click save it is possible I know you don't think it is but I do tend to make mistakes it happens okay hard to believe so you you see that yeah uh the ports here okay those didn't change those actually look correct as far as I can tell this one tells me hey this port is normally the same as the from Port above which is well that's exactly right so that all looks good oops see if I can scroll down here okay and now at the bottom here I do see something that is different right so at the very end when I configure this says rule Nat allow access into internal web server right well I didn't choose that okay I remember last time when I talked I said I want to associate this with a pass rule so it can get there but now notice Zach I didn't actually do that apparently I clicked on something else instead of that and actually is passed now where does that normally happen more than likely there wasn't this rule that was there before when I actually configured it so what normally happens is I select this option by by accident where it says create a new Associated filter Rule and then I click finish and save and I forgot to actually create an a firewall rule to allow it to come in okay okay so now it gives me that access to be able to do so but I wanted this to say pass okay so when I hit save what I want to do before I apply all the changes here is I want to verify that that still says pass okay and I think that that will fix the issue okay at least that's what I'm believing here is that that is exactly what will fix the issue and hit save again and hit apply changes and now verify and now I can only cross my fingers and hope that this is going to work this time so best thing is close out of the browser so it doesn't cache anything in there open up a new browser https and then 10.0.11.119 and this time it got me automatically in okay so you can see where the differences if it works in other words it works almost immediately okay if it doesn't work it's like yeah you didn't do it right I don't know how to connect to that but you see that I am now connected in even though this is the IP address of my firewall this is actually the IP this is actually the web server that is running on my Windows 10 machine and you can see it's actually a windows web server that's actually running here okay sure enough so if I take a look at this thing I can go to my Diagnostics here and states and let's verify that we are actually connected here is what we're doing so I'm now looking for the WAN connections coming in and there is the one that I'm actually looking for just as an example okay so I can see where when I connect it in I connected to 10.0.11.119 here is the NAT process where it's actually attaching this particular connection and you can see what it translated it into okay is what you end up seeing right there okay so that is the connection that's actually live that we're seeing and we see it again here too where it's doing exactly what it's supposed to be doing and here's it actually retrieving the web page from its own internal server as well so those are actually the connections that are going on and we can see that doing what we want it to do okay so port forwarding does work effectively now when you do that remember what you're really doing to your overall firewall as well okay well these rules are designed to help protect us okay something like this and Zach even though on the WAN interface okay here on the firewall rules I've selected the WAN interface remember that even though it doesn't appear in this list so there's the two default don't allow private IP addresses don't allow these reserved addresses to connect into my firewall but there's a third one that's actually listed here that we don't see which is an implicit deny any rule oh right right is what's actually down here and we just don't see that okay so how did the actual Nat rules get to work even though you're seeing where this is essentially saying I not only denied these two that you're seeing but I deny everything else okay that is the question that we have to understand because I'm asking that question okay yeah so actually that's a great question okay so that's what we want to at least take a look at yeah okay so when we start to take a look at there's actually a couple of things here let me see if I can find my I want to make sure I bring that brought that up yep so here's what you want to understand okay and the way that the NAT actually ends up working okay so this this diagram that I'm trying to focus in on so that we understand now I don't like the way they do their diagrams to me it doesn't make visual sense in the way that they do it it's very vertical but it's all about the order that they're showing here okay so on the WAN interface okay just the WAN interface itself yes what they're showing you is from top to bottom in other words these three rules here okay are these three policies whatever you want to call it okay ordering a Nat and firewall processing rules okay first it goes through TCP dump that's so it can monitor everything okay so we get that that's the first thing that it can actually do but notice that the second thing it processes is Nat rules okay and then firewall rules after that why is that important for something like port forwarding because it tells you why port forwarding is allowed to work because it actually says I inspect this first which is what the port forwarding that you and I set up Zach I inspect this first then I go through the list of the firewall rules that are there okay so that's why it's important that we understand when firewall rules you know don't seem to make sense because we're like well heck the firewall rule say it's actually denying everything but if you are using that and you're going across the internet you are Nat always applies first okay when it comes in so usually for us if we're doing something like this this is us nadding from the outside to the inside and the recommendation okay not always but the recommendation and best practice especially for a business is to not do this unless we really need to do this okay now if I do have a web server okay and I want to host it internally this is the perfect way to do so but remember the caveat else that I told you at the beginning of the episode here make sure that all the other servers are hard to make sure that on this one the only thing that you want to be available is the ports that you want available not everything else on that particular file on on that server but only those ports okay so this is why port forwarding was also available as well same thing on the land side too okay when you and I begin to actually configure firewall rules okay the NAT will always apply first before configuring firewall rules as well okay so then after that then actually takes a look at TCP done so I don't know why you know I would like the the visual order to actually show you know the processes of it actually pack us moving in and out versus the idea of working top to bottom as well so Nat rules once again are applied first here okay so notice that in both of these they're actually applied you know that first Bible rules Nat first firewall rules okay right right so that's that's the way that we have them okay so it's real essential when we start to take a look at to understand that idea and that processing of something like uh the firewall rules here okay so when we start to take a look then that's why we don't need another firewall rule allowing something like port forwarding to go on here Zach okay it actually just does it for us now Zach the idea of actually doing this is pretty good good okay because it actually allows us to be able to limit what we want to right but in a business you really don't want to do this unless you have to because it's a bypass around the rules okay that's really not something that we want to do but it does have to happen sometimes but just kind of be aware all right so once we actually understand that then okay and let me take a look here okay so we've got a few minutes left so Zach I wanted to actually go on and talk of the other two ways that we can do that I'm just a realizing something we've only got a few minutes left in our current episode we could leave them with a cliffhanger so that is exactly what we are going to do we still need to talk a little bit about the idea of one to one that as well as what they call outbound that most of us would actually know it as Port uh port address translation or Nat overloading as well we need to talk about both of those briefly we're not going to spend a ton of time we want to talk about when you would actually use one over the other and why we would choose something like that too okay so Zach will actually picked that up in a part two but uh for you this is actually a great place for us to at least take a break and then we'll pick up again set up pfSense configure that basics part two coming your way make sure you join us for that and thank you for joining us for part one Ronnie wonderful job as your usual and he's done a great job with every single episode of possense 2.4.4 Open Source firewall I think you can agree make sure that you study never stop learning and inside our course Library there's a lot of supplementary information that is there to do one thing help you be even more successful then check that out as well and tell everybody you know about it pro TV it pro TV is binge worthy thanks for watching I'm Zach memes and I'm Ronnie Wong we will see you again very soon [Music] thank you for watching it pro TV
Info
Channel: Python Tutorials for Stock Market
Views: 1,306
Rating: undefined out of 5
Keywords: artificial intelligence, python, data science, excel
Id: PVVWB3tb3ZM
Channel Id: undefined
Length: 25min 11sec (1511 seconds)
Published: Sun Jun 25 2023
Related Videos
How To Port Forward in pfsense
Lawrence Systems
44K
Setting up VLANs in pfSense
Raid Owl
47K
I hope you don't need internet.... - PfSense Router Update
Linus Tech Tips
2.3M
Zero to Hero: Networking Fundamentals Crash Course
Dmitry Figol
4.3K
Transform Your Home Network with PFSENSE 2.7! Step-by-Step Setup Guide for Beginners
Digital Mirror
10K
pfsense VS OPNSense
Lawrence Systems
279K
2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages
Lawrence Systems
1.1M
pfsense: Blocking Threats With pfblockerNG Lists
Lawrence Systems
83K
Hub, Switch, & Router Explained - What's the difference?
PowerCert Animated Videos
5.3M
Firewall Rules NAT & Port Forwarding Basics #pfsense
Morgans Tech Mods
3.2K
How To Install pfSense + Beginners Configuration Guide
Helping Ninja
25K
How To Guide For HAProxy and Let's Encrypt on pfSense: Detailed Steps for Setting Up Reverse Proxy
Lawrence Systems
49K
VLAN Explained
PowerCert Animated Videos
1.5M
pfSense Firewall - pfSense Administration Full Course
Knowledge Power
392K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.