Help with DMZ & Public IP block.
-
Hello all.
I have pfsense 2.0.1-RELEASE (i386) running on an ALIX 2D3. I want to use it to replace my very old Sonicwall firewall.
I have googled and read a LOT of information but just can not figure it out. I can things almost working but not quite 100%.
I have a block of IP's x.x.x.160/27
My ADSL router (3 MLPPP bonded lines) uses x.x.x.161. This then goes to the WAN port of the Sonicwall.
The Sonicwall uses x.x.x.162 (public IP for all PC's on the LAN port) & 192.168.0.1 (LAN address for access and gateway etc).
Most of the remaining IP's are assigned to the servers on the DMZ port.
The LAN and DMZ ports go to 2 seperate switches.I have set up pfsense with
WAN x.x.x.162
LAN 192.168.0.1
DMZ port no IP (none in type drop down box)
I could access the internet from the LAN but not the DMZ. If I bridge the WAN and DMZ then the both LAN and DMZ seem to work ok but then I can not access any of the IP's on the DMZ port from the LAN.From what I have read some people use local IP's on their servers and then NAT the public IP's to them. I really don't want to go that route if possible as it will be a lot of work changing everything around. We have multiple IPs on some servers for SSL etc and also there are a lot of hard coded IP's in web apps like forums, shopping carts, mail server scripts etc.
Can anyone recommend a setup that will work the same way as described with my current Sonicwall?
Regards
Dave
-
With the bridge setup, it sounds like you are almost there and just have to tweak the firewall rule set. Most specifically adjusting the OPT (DMZ) rules to allow return traffic to the LAN and also using advanced outbound NAT to turn off NATing from LAN to DMZ. You might also want to turn off NAT reflection if you have it enabled.
-
Thank you for the reply. I have just disabled NAT Reflection as you suggested. I also deleted the rules I added and just to test created anything to anything rules and it all appears to be working fine. I then changed the rule on the DMZ interface to disallow LAN access and it still seems to be working ok.
So my rules so far look like this
LAN Has just the 2 default rules.
WAN
ID Proto Source Port Destination Port Gateway Queue Schedule Description
* * * * * * noneDMZ
ID Proto Source Port Destination Port Gateway Queue Schedule Description
* * * ! LAN net * * noneOn the DMZ I assumed I would need to choose the DMZ Subnet for Source but if I do that then the servers lose outgoing access. I realise that could be a good thing but at the moment I just want to emulate what the Sonicwall was doing and then I can start to lock things down some more.
Do these rules look ok for a starting point? It all seem to be functioning as I want it too.
Regards
Dave
-
IF the DMZ is in a bridge, then there is not really a DMZ subnet. You could create an alias that says ExternalIPSubnet and put in your External IP subnet.
As for your rules, you WAN is wide open. You need to start restricting that to prevent unwanted access.
The reason that LAN can get to DMZ even with the DMZ rule is that all rules are inbound block on that interface. So you will need to modify the LAN rule to block access to DMZ and put that rule above the default allow rule.
-
Thank you again for your quick reply.
IF the DMZ is in a bridge, then there is not really a DMZ subnet. You could create an alias that says ExternalIPSubnet and put in your External IP subnet.
That worked great. I have also done a lot more reading about the alias feature so I understand it more. It has given me some ideas to try.
As for your rules, you WAN is wide open. You need to start restricting that to prevent unwanted access.
I have now. I just wanted to get a starting point where I knew everything was working after the initial problems I had. After your reply yesterday I added rules only for the services I need http, https, DNS, email etc. I then deleted the wide open rule.
The reason that LAN can get to DMZ even with the DMZ rule is that all rules are inbound block on that interface. So you will need to modify the LAN rule to block access to DMZ and put that rule above the default allow rule.
I do need the LAN to access the Public IP's on the DMZ interface for email and admin of the servers etc. After your first suggestion it is working great now.
I assumed that rule on the DMZ interface lets all traffic from the DMZ interface to anywhere except the LAN interface. This is something I will be working on to lock down more as I get a better idea of all the settings.So as it is now the LAN has the default rules. The DMZ has the same rule as above. The WAN now has multiple rules only allowing the specific services I need to use.
Regards
Dave