other:networking:opnsense:dmz
                Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| other:networking:opnsense:dmz [2023/09/27 06:43] – rodolico | other:networking:opnsense:dmz [2023/09/27 10:22] (current) – rodolico | ||
|---|---|---|---|
| Line 53: | Line 53: | ||
| OPNSense has NAT built in, but parts of it are broken as of 23.7; it may be fixed by the time you read this, so I'll show the standard way of doing it, then the patch. | OPNSense has NAT built in, but parts of it are broken as of 23.7; it may be fixed by the time you read this, so I'll show the standard way of doing it, then the patch. | ||
| + | |||
| + | ==== Firewall Aliases ==== | ||
| + | |||
| + | You can skip this first step, though I like it because it makes the entire setup more maintainable. I like to use Firewall Aliases for my ports and, sometimes, for my hosts. I would definitely recommend doing the ports part, however, as you would otherwise have to write one NAT for each port. | ||
| + | |||
| + | - Firewall | Aliases | ||
| + | - Add (plus sign) | ||
| + | - Name: web_ports | ||
| + | - Type: Ports | ||
| + | - Categories: DMZ | ||
| + | - Contents: enter the web ports, placing a comma between them (ie, 80,443) | ||
| + | - Description: | ||
| + | - Save | ||
| + | - Add (plus sign) | ||
| + | - Name: mail_ports | ||
| + | - Type: Ports | ||
| + | - Categories: DMZ | ||
| + | - Content: 25,465,587 | ||
| + | - Description: | ||
| + | - Save | ||
| + | - Add | ||
| + | - Name: webserver | ||
| + | - Type: Host(s) | ||
| + | - Categories: DMZ | ||
| + | - Content: 192.168.52.3 (the IP of your web server, in the DMZ) | ||
| + | - Description: | ||
| + | - Save | ||
| + | - Add | ||
| + | - Name: mailserver | ||
| + | - Type: Host(s) | ||
| + | - Categories: DMZ | ||
| + | - Content: 192.168.52.4 (the IP of your mail server, in the DMZ) | ||
| + | - Description: | ||
| + | - Save | ||
| + | |||
| + | ==== Build the Forward ==== | ||
| + | |||
| + | All that is left to do is tell the router to forward the port groups to the appropriate host. | ||
| + | |||
| + | - Firewall | NAT | Port Forward | ||
| + | - Add | ||
| + | - Interface: WAN | ||
| + | - TCP/IP Version: Select your requirements | ||
| + | - Protocol: TCP (or, TCP/UDP if you also need UDP) | ||
| + | - Destination: | ||
| + | - Destination port range: Select web_ports from the dropdown (hint, it is higher in the dropdown) | ||
| + | - Redirect target IP: | ||
| + | - Single host or Network | ||
| + | - If you created an alias, select web_server from the dropdown | ||
| + | - if not, enter the IP address of the target machine | ||
| + | - Redirect target port: should be already set to web_ports | ||
| + | - Category: DMZ | ||
| + | - Description: | ||
| + | - NAT reflection: Use system default (**See Below**) | ||
| + | - Filter rule association: | ||
| + | - Save | ||
| + | - Repeat for other server(s) | ||
| + | |||
| + | **Note:** Here we are forwarding ports to the same port on the internal target server. So, port 25 on the WAN targets port 25 on the mail server. This is NOT a requirement, | ||
| + | |||
| + | === NAT Reflection === | ||
| + | |||
| + | NAT Reflection is a nice little function that rewrites network traffic if you are in the LAN and try to access a DMZ IP by it's public IP. This cuts down on your public IP network traffic, short circuiting the whole "out and in" thing. | ||
| + | |||
| + | You can set NAT Reflection manually for each NAT, but you can also just set a system default and leave that. To set the default on NAT Reflection to On for all NAT's that have the default, do the following: | ||
| + | |||
| + | - Firewall | Settings | Advanced | ||
| + | - Place a check box in Reflection for port forwards | ||
| + | - You might also want // | ||
| + | |||
| + | === Filter rule association === | ||
| + | |||
| + | As of v23.7, the //Associate this with a regular firewall rule// does not appear to generate the correct rules. The rule shows up in the firewall, but does not work. | ||
| + | |||
| + | This has been reported a few times (see https:// | ||
other/networking/opnsense/dmz.1695815019.txt.gz · Last modified: 2023/09/27 06:43 by rodolico
                
                