Architecture for securing home network with exposed web server

SteveITS

@forumate access would be controlled by firewall rules on the DMZ interface. See if this helps:
https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/opt-lan.html#isolated

forumate

@SteveITS thank you.
I tried following the guide, but immediately after I saved all the firewall rules and restarted, I had no internet at all on my VM, even not the one given earlier by the DHCP.

When I run ip command in the Ubuntu VM, it has no more IPv4 address

What can I do to fix it? I did not disable the DHCP so it's weird that the VM stopped getting IP

stephenw10

Are you actually running an 1100?

If so the switch config is probably incorrect if the server VM no longer pulls a DHCP lease.

forumate

@stephenw10 It's not a physical switch, I am using a virtual WAN switch on Hyper V connected to a pfSense VM

stephenw10

Ah, Ok then some of those steps in the 1100 instructions would not apply.

Are you adding the DMZ as a separate virtual NIC in pfSense or as a VLAN?

forumate

So it's the first time I'm probably trying to do something this complicated (for me), so I might be doing wrong stuff or say things that don't make sense because of that so if you see that I am saying nonsense please let me know:

I haven't setup any VLAN yet. What I did so far was to follow this video until around minute 11:30 where he connects the virtual WAN and private LAN switches to the pfSense VM: https://www.youtube.com/watch?v=eEZZQT8T4xY&t=1s

So I assume I do not have any DMZ right now.

What I currently have is:

1. A virtual WAN switch connected to the pfSense VM (its IP is 192.168.2.25, same IP range as the home network where the default gateway is 192.168.2.1)
2. A virtual private LAN switch connected to the pfSense VM on a different on a different IP range - 172.25.100.1/24, and acts as a DHCP.
3. An Ubuntu Server VM connected to the private LAN switch - this VM got the IP 172.25.100.100

So I am confused about a few things now that I would love to get some clarification about:

1. I didn't setup a VLAN during setup however I did create a network with different IP range, isn't it considered a VLAN? because it's a virtual network with different IP range?
2. I can still ping to other computers on my home network on the 192.168.2.x/24 IP range, for example another PC on 192.168.2.8, why? aren't private switches supposed to allow only communication between VMs?

SteveITS

@forumate said in Architecture for securing home network with exposed web server:

I did create a network with different IP range, isn't it considered a VLAN?

No, not that alone. A VLAN is a separate network but sharing the same cabling, and most importantly isolated by the switch. So multiple networks would share one patch cable into pfSense but be isolated by the switch. Each packet is tagged (usually by the switch, or AP) as to which VLAN it is for.
https://docs.netgate.com/pfsense/en/latest/vlan/index.html

After setup a VLAN in pfSense is basically the same as a third, fourth, etc. interface. Firewall rules control access between networks in pfSense.

If the two subnets are not isolated then you run into trouble with things like DHCP, plus all someone has to do is change their IP to hop onto the other network.

@stephenw10 said in Architecture for securing home network with exposed web server:

then some of those steps in the 1100 instructions would not apply

For sake of discussion, which? I clicked that one kind of at random as it's on several models (not a recipe...?) but all the VLAN setup is not in that section I linked...that part would be 1100 specific.

stephenw10

@SteveITS said in Architecture for securing home network with exposed web server:

For sake of discussion, which?

It may not be mentioned specifically there but I worried there might be links to the 1100 switch setup that wouldn't apply here.

@forumate Because you are using a virtual infrastructure you don't need to use VLANs here. You can just add more virtual NICs and switches if you want additional subnets behind pfSense.

You can add firewall rules on the LAN to prevent LAN side hosts accessing the WAN side hosts directly. However that's not a good setup because the traffic from the LAN side hosts (DMZ) still has to travel across the WAN where all the protected clients should be.
What you want to have are LAN and DMZ interfaces in pfSense where traffic is completely separate and any connections between them must go through pfSense and hence can be filtered.

Steve

forumate

@SteveITS said in Architecture for securing home network with exposed web server:

@forumate said in Architecture for securing home network with exposed web server:

I did create a network with different IP range, isn't it considered a VLAN?

No, not that alone. A VLAN is a separate network but sharing the same cabling, and most importantly isolated by the switch. So multiple networks would share one patch cable into pfSense but be isolated by the switch. Each packet is tagged (usually by the switch, or AP) as to which VLAN it is for.
https://docs.netgate.com/pfsense/en/latest/vlan/index.html

After setup a VLAN in pfSense is basically the same as a third, fourth, etc. interface. Firewall rules control access between networks in pfSense.

If the two subnets are not isolated then you run into trouble with things like DHCP, plus all someone has to do is change their IP to hop onto the other network.

thank you, I will have to read more about the VLAN then.

@stephenw10 said in Architecture for securing home network with exposed web server:

@SteveITS said in Architecture for securing home network with exposed web server:

For sake of discussion, which?

It may not be mentioned specifically there but I worried there might be links to the 1100 switch setup that wouldn't apply here.

@forumate Because you are using a virtual infrastructure you don't need to use VLANs here. You can just add more virtual NICs and switches if you want additional subnets behind pfSense.

You can add firewall rules on the LAN to prevent LAN side hosts accessing the WAN side hosts directly. However that's not a good setup because the traffic from the LAN side hosts (DMZ) still has to travel across the WAN where all the protected clients should be.
What you want to have are LAN and DMZ interfaces in pfSense where traffic is completely separate and any connections between them must go through pfSense and hence can be filtered.

Steve

I am new to networking. When you say DMZ, what way of DMZ setup do you mean? by usin VLANs as suggested above?

stephenw10

No just mean a different subnet connected via an interface named DMZ. It could also be named OPT etc. The nature of a DMZ is simply what traffic is allowed in and out of it. So here it's just what firewall rules you have applied to that traffic.

forumate

@stephenw10 thank you.

Currently I have WAN and LAN called OPTx.

You say I should add another virtual private LAN switch on hyper-v, connect it in pfsense as a LAN interface as well, call it DMZ for example and connect it to the OPTx?

So that I'll have 3 subnets?

192.168.2.1/24 of the home network
172.15.100.1/24 - OPTx
10.0.0.1/24 as DMZ

then separate the DMZ from the home network by having the OPTx in between?

SteveITS

@forumate I think you’re getting hung up on the names. The names are irrelevant. WAN and LAN are pretty standard. You can name others however you wish. If DMZ is easier to understand conceptually, go for that. Then you have 3 interfaces, and a web server in DMZ is not on LAN.

stephenw10

Your setup is different currently because pfSense is not your edge router. Currently all traffic has to travel across your local LAN to reach pfSense and any hosts behind it. There is no need to add an extra interface in your setup as it is.
You can still add firewall rules to prevent hosts behind pfSense accessing the local LAN devices directly.

forumate

@SteveITS said in Architecture for securing home network with exposed web server:

@forumate I think you’re getting hung up on the names. The names are irrelevant. WAN and LAN are pretty standard. You can name others however you wish. If DMZ is easier to understand conceptually, go for that. Then you have 3 interfaces, and a web server in DMZ is not on LAN.

Oh I just gave names in this case for the example, I understand that names are not important (just because I wanted to make the example more understandable)

What do you mean a web server in DMZ is not on LAN?

@stephenw10 said in Architecture for securing home network with exposed web server:

Your setup is different currently because pfSense is not your edge router. Currently all traffic has to travel across your local LAN to reach pfSense and any hosts behind it. There is no need to add an extra interface in your setup as it is.
You can still add firewall rules to prevent hosts behind pfSense accessing the local LAN devices directly.

Yes exactly there is a problem because I must use the ISP router right now as the edge router. So I thought to use pfSense with firewall rules as you said.

So because it has to go through the ISP router, as you said I can just have 2 interfaces?

1. The private WAN switch
2. The private LAN switch - and give it different IP range, and firewall rules to not be able to access anything else outside its IP range?

How can I do it? Could you give me hints where to start?

And is it even possible to have a firewall rule that will prevent access to my edge router, and still keep the private LAN interface connected to the internet? Is it sort of like a one-way valve? where traffic can come from the ISP 10.0.0.138 to the pfSense VM on 192.168.2.1 (for example), but not the other way around? Is this the general idea? (I just want to understand the theory too before I actually set firewall rules)

SteveITS

@forumate said in Architecture for securing home network with exposed web server:

What do you mean a web server in DMZ is not on LAN?

A DMZ type network is a separate network from LAN so compromised devices cannot infect LAN devices.
https://en.wikipedia.org/wiki/DMZ_(computing)
Usually via separate wiring or a true VLAN. A "guest wireless" would be another example.

Each interface in pfSense can have its own rules, for instance a guest/DMZ could have something like:

• allow to pfSense DNS
• reject to This Firewall
• reject to LAN
• allow to any

one such example: https://docs.netgate.com/pfsense/en/latest/solutions/netgate-4100/opt-lan.html#isolated

Rereading your OP, I think I misunderstood. If you simply put pfSense between your web server and your LAN, and do nothing else, that would not prevent your web server from accessing your LAN (pfSense's WAN). Because pfSense would NAT requests onto your LAN just like it does to the Internet. You would need to block access by firewall rules.

stephenw10

What you could do is move pfSense so it's connected directly to the ISP router and everything else is behind it. Then you can device you internal hosts between two pfSense interfaces in the normal way.

Your ISP router may have a pass-through or DMZ made where is just passes all traffic to pfSense that could be used there.

forumate

thanks guys!

Physically I think I have problem putting pfSense right after the ISP router and behind everything else (if I understood correctly the setup you meant)

I did try however something now in the firewall rules as you suggested.

I will sum up the setup and the firewall rules:

In Hyper-V, I have 2 virtual switches - a WAN and a private LAN.
Both switches are connected to the pfSense VM.
the LAN switch is acting as a DHCP and connected to the Ubuntu Server VM (the web server)

Now, I just added a blocking rule for any IP and any protocol from the LAN to the WAN subnets:
(*Note that the IPs are different than above comments as I've changed stuff)

Image of the setup on the pfSense VM:

Image of the FW rule:

Now I tried to access my router's management IP on 192.168.2.1 and I could not do it anymore, and I can no longer ping any machine on the 192.168.2.1/24 range (the home network). Does it mean I actually isolated the VM?

stephenw10

Well that rule has isolated it from everything! All traffic is blocked except to the OPTX address on port 80.

Your block rule should be: source: OPTXnet, destination: WANnet.

Then you should have a pass rule below that for other destinations outside the WAN.

forumate

@stephenw10 thank you!

In Cloudflare, I set the service to be HTTP (port 80) and the OPTx IPv4 address - exactly the one that is open, and I am able to visit my domain at https://example.com - I can to go to the HTTPS because Cloudflare redirects HTTPS to the internal HTTP

I am still able to go to the machine via Hyper-V which is what I need to perform manual git updates

Should that be enough? Why would I need the rule you suggested over the current rule (for knowledge, not to say that your rule isn't good ) - what does it allow that currently isn't allowed - could you please provide examples?

Maybe you mean that I can't SSH to the machine (which I don't need right now but might need soon)? Or something else that I haven't encountered yet?

stephenw10

It would allow the VM to connect out, to pull updates for example. If it doesn't need to do that then you don't need any other rule.