other:networking:opnsense:dmz
                Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| other:networking:opnsense:dmz [2021/04/03 02:04] – rodolico | other:networking:opnsense:dmz [2023/09/27 10:22] (current) – rodolico | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== opnSense DMZ ====== | ====== opnSense DMZ ====== | ||
| - | **NOT** for this, but saving link. This if for multi-wan (multiple outside IP's with failover) | ||
| - | * https:// | ||
| - | This is a work in progress. I'm updating it as I do the work. | + | ===== DMZ ===== | 
| - | ===== Target Appliance ===== | + | The goal here is to create a DMZ on the same router as our LAN. A DMZ a separate network, which a LAN has access to, but does not have access to the LAN. We can then put servers in the DMZ which we can make publicly available (ie, accessed via public IP's) while maintaining the integrity of our LAN behind the same firewall. | 
| - | The goal here is to create a DMZ which will allow multiple public IP's to access internal machines via 1:1 NAT. We will build separate | + | NOTE: this is **not** as secure as having too separate | 
| + | |||
| + | To create a DMZ, you'll need a separate network, either through a VLAN or through a separate physical setup. How you get there is up to you, but this article assumes you have a third network interface, and you have named it DMZ (the others labeled LAN and WAN, and they were working before). | ||
| + | |||
| + | We'll set up the DMZ interface, optionally allow a DHCP server | ||
| - DMZ | - DMZ | ||
| Line 16: | Line 18: | ||
| - IPV4 Address | - IPV4 Address | ||
| - auto-detect IPv4 upstream gateway | - auto-detect IPv4 upstream gateway | ||
| - | - dhcp | + | - DHCP (optional) | 
| - | - enable | + | - enable | 
| - set range | - set range | ||
| + | - Firewall (two rules, but see https:// | ||
| + | - Allow dmz to access everything but local network | ||
| + | - Action: Pass | ||
| + | - Interface: DMZ | ||
| + | - Protocol: Any | ||
| + | - Source: DMZ net | ||
| + | - Source port: any | ||
| + | - Destination Invert: check | ||
| + | - Destination: | ||
| + | - Destination Port: any | ||
| + | - Category: DMZ | ||
| + | - Description: | ||
| + | - Allow LAN full access to DMZ | ||
| + | - Action: pass | ||
| + | - Interface: lan | ||
| + | - TCP/IP Version: IPV4+IPv6 | ||
| + | - protocol: tcp | ||
| + | - source: LAN net | ||
| + | - Source port: any | ||
| + | - Destination: | ||
| + | - Destination Port: any | ||
| + | - Category: DMZ | ||
| + | - Description: | ||
| + | |||
| + | |||
| + | ===== NAT a DMZ machine using Port Forward ===== | ||
| + | |||
| + | NAT (Network Address Translation) allows you to use one IP address to access multiple internal machines, so long as they have unique network port requirements. For example, you could have a public web server on port 80 and 443 (http and https), then a separate server for e-mail using smtp(s) (ports 25,465, 587), imap(s) (ports 143 and 993) and pop(s) (ports 110 and 995). They could both be on the same public IP address, and NAT would send all http(s) traffic to one machine and all e-mail traffic to the other. Obviously, these machines could be inside a DMZ. | ||
| + | |||
| + | Why do you want to do this? Several reasons, but the main one is to decrease complexity in your servers. You have one server which is only a web server, with apache, php and maybe mysql. A completely separate machine handles your e-mail. | ||
| + | |||
| + | OPNSense has NAT built in, but parts of it are broken as of 23.7; it may be fixed by the time you read this, so I'll show the standard way of doing it, then the patch. | ||
| + | |||
| + | ==== Firewall Aliases ==== | ||
| + | |||
| + | You can skip this first step, though I like it because it makes the entire setup more maintainable. I like to use Firewall Aliases for my ports and, sometimes, for my hosts. I would definitely recommend doing the ports part, however, as you would otherwise have to write one NAT for each port. | ||
| + | |||
| + | - Firewall | Aliases | ||
| + | - Add (plus sign) | ||
| + | - Name: web_ports | ||
| + | - Type: Ports | ||
| + | - Categories: DMZ | ||
| + | - Contents: enter the web ports, placing a comma between them (ie, 80,443) | ||
| + | - Description: | ||
| + | - Save | ||
| + | - Add (plus sign) | ||
| + | - Name: mail_ports | ||
| + | - Type: Ports | ||
| + | - Categories: DMZ | ||
| + | - Content: 25,465,587 | ||
| + | - Description: | ||
| + | - Save | ||
| + | - Add | ||
| + | - Name: webserver | ||
| + | - Type: Host(s) | ||
| + | - Categories: DMZ | ||
| + | - Content: 192.168.52.3 (the IP of your web server, in the DMZ) | ||
| + | - Description: | ||
| + | - Save | ||
| + | - Add | ||
| + | - Name: mailserver | ||
| + | - Type: Host(s) | ||
| + | - Categories: DMZ | ||
| + | - Content: 192.168.52.4 (the IP of your mail server, in the DMZ) | ||
| + | - Description: | ||
| + | - Save | ||
| + | |||
| + | ==== Build the Forward ==== | ||
| + | |||
| + | All that is left to do is tell the router to forward the port groups to the appropriate host. | ||
| + | |||
| + | - Firewall | NAT | Port Forward | ||
| + | - Add | ||
| + | - Interface: WAN | ||
| + | - TCP/IP Version: Select your requirements | ||
| + | - Protocol: TCP (or, TCP/UDP if you also need UDP) | ||
| + | - Destination: | ||
| + | - Destination port range: Select web_ports from the dropdown (hint, it is higher in the dropdown) | ||
| + | - Redirect target IP: | ||
| + | - Single host or Network | ||
| + | - If you created an alias, select web_server from the dropdown | ||
| + | - if not, enter the IP address of the target machine | ||
| + | - Redirect target port: should be already set to web_ports | ||
| + | - Category: DMZ | ||
| + | - Description: | ||
| + | - NAT reflection: Use system default (**See Below**) | ||
| + | - Filter rule association: | ||
| + | - Save | ||
| + | - Repeat for other server(s) | ||
| + | |||
| + | **Note:** Here we are forwarding ports to the same port on the internal target server. So, port 25 on the WAN targets port 25 on the mail server. This is NOT a requirement, | ||
| + | |||
| + | === NAT Reflection === | ||
| + | |||
| + | NAT Reflection is a nice little function that rewrites network traffic if you are in the LAN and try to access a DMZ IP by it's public IP. This cuts down on your public IP network traffic, short circuiting the whole "out and in" thing. | ||
| + | |||
| + | You can set NAT Reflection manually for each NAT, but you can also just set a system default and leave that. To set the default on NAT Reflection to On for all NAT's that have the default, do the following: | ||
| + | |||
| + | - Firewall | Settings | Advanced | ||
| + | - Place a check box in Reflection for port forwards | ||
| + | - You might also want // | ||
| + | |||
| + | === Filter rule association === | ||
| + | |||
| + | As of v23.7, the //Associate this with a regular firewall rule// does not appear to generate the correct rules. The rule shows up in the firewall, but does not work. | ||
| + | |||
| + | This has been reported a few times (see https:// | ||
other/networking/opnsense/dmz.1617433454.txt.gz · Last modified: 2021/04/03 02:04 by rodolico
                
                