Skip to main content

Firewall - PFsense


system>>advanced>>networking>>HardwareChecksum (deixar disable)
https://youtu.be/IJts2RoHczE


- system>>generalsetup

https://youtu.be/ILETpVZpq8k


VNC
pvecm updatecerts
https://forum.proxmox.com/threads/task-error-failed-to-run-vncproxy.49954/

cd /var/lib/vz/template/iso

wget https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz

https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776


# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!

source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback

auto enp8s0
iface enp8s0 inet static
        address 
        gateway 
#porta-10

auto enp5s0f0
iface enp5s0f0 inet manual

auto enp5s0f1
iface enp5s0f1 inet manual

auto enp6s0f0
iface enp6s0f0 inet manual

auto enp6s0f1
iface enp6s0f1 inet manual

auto enp9s0
iface enp9s0 inet manual
#porta-12

auto vmbr1
iface vmbr1 inet manual
        bridge-ports enp9s0
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

iface vmbr0 inet manual
        bridge-ports none
        bridge-stp off
        bridge-fd 0

auto vmbr1.192
iface vmbr1.192 inet static
        address 192.168.0.32/23

auto vmbr1.193
iface vmbr1.193 inet manual

auto vmbr1.194
iface vmbr1.194 inet manual

auto vmbr10
iface vmbr10 inet static
        address 192.168.2.1/30
        bridge-ports none
        bridge-stp off
        bridge-fd 0
        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up iptables -t nat -A POSTROUTING -s '192.168.2.0/30' -o enp8s0 -j MASQUERADE
        post-down iptables -t nat -D POSTROUTING -s '192.168.2.0/30' -o enp8s0 -j MASQUERADE

system>>advanced>>networking>>HardwareChecksum (deixar disable)

# DNS Server e Gateway WAN


https://serverfault.com/questions/660463/nginx-as-a-proxy-server-for-a-local-network
https://www.loggly.com/blog/benchmarking-5-popular-load-balancers-nginx-haproxy-envoy-traefik-and-alb/

Instalação Pfsense

  • Configurar a wan pelo console
    • vtnetX1
  • configurar a lan pelo console
    • vtnetX2
Address: 192.168.0.1    
Netmask: 255.255.254.0 = 23
Wildcard:0.0.1.255  
Network:192.168.0.0 (Class C)
Broadcast:192.168.1.255   
HostMin:192.168.0.1
HostMax:192.168.1.254

  • Gateway
192.168.1.251/23

Configurar System >> General Setup

Configurar System >> Advanced

  • HTTPS
  • TCP port

Configurar System >> Advanced >> Networking

  • opção Hardware Checksum Offloading deve estar desabilitada caso o pfsense esteja virtualizado

Configurar System >> User Manager >> Groups

  • criar usuário admistrativo específico/individual
  • bloquear login do user admin

Configuração Debian 11

  • indicar ip, gateway no o /etc/network/interfaces
  • indicar DNS no /etc/resolv.conf

CARP HA

  • Criar duas VMs (uma main e outra Backup)
  • Indicar nos nomes das vms (main e bkp) system>>General setup>>hostname
  • Adicionar CARP Status no dashboard
  • Criar usuário de sync
  • Criar interface sync (IP/30)
  • Criar Regra de Firewall
  • IP virtual
  • NAT outbound>> passartranslation address para vip carp wan
  • System>>HAS>>selecionar a lan sync