other:networking:opnsense:dmz
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
other:networking:opnsense:dmz [2023/09/27 07:07] – rodolico | other:networking:opnsense:dmz [2023/09/27 10:22] (current) – rodolico | ||
---|---|---|---|
Line 53: | Line 53: | ||
OPNSense has NAT built in, but parts of it are broken as of 23.7; it may be fixed by the time you read this, so I'll show the standard way of doing it, then the patch. | OPNSense has NAT built in, but parts of it are broken as of 23.7; it may be fixed by the time you read this, so I'll show the standard way of doing it, then the patch. | ||
+ | |||
+ | ==== Firewall Aliases ==== | ||
You can skip this first step, though I like it because it makes the entire setup more maintainable. I like to use Firewall Aliases for my ports and, sometimes, for my hosts. I would definitely recommend doing the ports part, however, as you would otherwise have to write one NAT for each port. | You can skip this first step, though I like it because it makes the entire setup more maintainable. I like to use Firewall Aliases for my ports and, sometimes, for my hosts. I would definitely recommend doing the ports part, however, as you would otherwise have to write one NAT for each port. | ||
Line 58: | Line 60: | ||
- Firewall | Aliases | - Firewall | Aliases | ||
- Add (plus sign) | - Add (plus sign) | ||
- | - Name: web ports | + | - Name: web_ports |
- Type: Ports | - Type: Ports | ||
+ | - Categories: DMZ | ||
- Contents: enter the web ports, placing a comma between them (ie, 80,443) | - Contents: enter the web ports, placing a comma between them (ie, 80,443) | ||
- Description: | - Description: | ||
Line 66: | Line 69: | ||
- Name: mail_ports | - Name: mail_ports | ||
- Type: Ports | - Type: Ports | ||
+ | - Categories: DMZ | ||
- Content: 25,465,587 | - Content: 25,465,587 | ||
- Description: | - Description: | ||
+ | - Save | ||
- Add | - Add | ||
- Name: webserver | - Name: webserver | ||
Line 73: | Line 78: | ||
- Categories: DMZ | - Categories: DMZ | ||
- Content: 192.168.52.3 (the IP of your web server, in the DMZ) | - Content: 192.168.52.3 (the IP of your web server, in the DMZ) | ||
- | - Description: | + | - Description: |
+ | - Save | ||
+ | - Add | ||
+ | - Name: mailserver | ||
+ | - Type: Host(s) | ||
+ | - Categories: DMZ | ||
+ | - Content: 192.168.52.4 (the IP of your mail server, in the DMZ) | ||
+ | - Description: | ||
+ | - Save | ||
+ | |||
+ | ==== Build the Forward ==== | ||
+ | |||
+ | All that is left to do is tell the router to forward the port groups to the appropriate host. | ||
+ | |||
+ | - Firewall | NAT | Port Forward | ||
+ | - Add | ||
+ | - Interface: WAN | ||
+ | - TCP/IP Version: Select your requirements | ||
+ | - Protocol: TCP (or, TCP/UDP if you also need UDP) | ||
+ | - Destination: | ||
+ | - Destination port range: Select web_ports from the dropdown (hint, it is higher in the dropdown) | ||
+ | - Redirect target IP: | ||
+ | - Single host or Network | ||
+ | - If you created an alias, select web_server from the dropdown | ||
+ | - if not, enter the IP address of the target machine | ||
+ | - Redirect target port: should be already set to web_ports | ||
+ | - Category: DMZ | ||
+ | - Description: | ||
+ | - NAT reflection: Use system default (**See Below**) | ||
+ | - Filter rule association: | ||
+ | - Save | ||
+ | - Repeat for other server(s) | ||
+ | |||
+ | **Note:** Here we are forwarding ports to the same port on the internal target server. So, port 25 on the WAN targets port 25 on the mail server. This is NOT a requirement, | ||
+ | |||
+ | === NAT Reflection === | ||
+ | |||
+ | NAT Reflection is a nice little function that rewrites network traffic if you are in the LAN and try to access a DMZ IP by it's public IP. This cuts down on your public IP network traffic, short circuiting the whole "out and in" thing. | ||
+ | |||
+ | You can set NAT Reflection manually for each NAT, but you can also just set a system default and leave that. To set the default on NAT Reflection to On for all NAT's that have the default, do the following: | ||
+ | |||
+ | - Firewall | Settings | Advanced | ||
+ | - Place a check box in Reflection for port forwards | ||
+ | - You might also want // | ||
+ | |||
+ | === Filter rule association === | ||
+ | |||
+ | As of v23.7, the //Associate this with a regular firewall rule// does not appear to generate the correct rules. The rule shows up in the firewall, but does not work. | ||
+ | |||
+ | This has been reported a few times (see https:// | ||
other/networking/opnsense/dmz.1695816460.txt.gz · Last modified: 2023/09/27 07:07 by rodolico