Failure of connected to the internet from the DMZ

henze

i should configure wan rules ! because it is necessary that all traffic from wan only can acces to dmz web ( and no dmz bd ) so that's why i ask for this . traffic come from wan to pfsense to dmzweb and after from dmz web to dmz bd .
should i configure only interfaces -rules ?

johnpoz

By default NOTHING can access anything from the wan, this is the default out of the box.. If you want ports open from wan to something on your private side then you create a port forward. Are you wanting to do some sort of 1:1 Nat?

You show wan as private 192.168.3.1 – are you doing NAT or not.. by default pfsense NATS.. Is this wan the internet or some other segment in your network? For anything to talk to dmz anything from wan side of pfsense.. They would first have to get to 192.168.3.1 -- since that is private, the device in front of pfsense natting 192.168.3.0/24 to public would have to forward traffic to pfsense, so that pfsense could forward it on.

If you drew up your network I would be happy to work you through whatever your trying to accomplish.

You don't route traffic through dmz web to dmz db.. (unless you have some router dmzweb?) Do you mean you want devices in dmz web to access stuff in dmz db?

henze

hey i change the architecture to this
look at the flow matrix ( empty box that's mean block )

henze

![architecture réseau.jpg](/public/imported_attachments/1/architecture réseau.jpg)
![architecture réseau.jpg_thumb](/public/imported_attachments/1/architecture réseau.jpg_thumb)

johnpoz

My french is a bit rusty.. But what is zone 2 suppose to be exactly? Réseau is network is it not?

Zone2: Fw Réseau:Pfsense

And are you wanting these rules to only allow access to the specific IPs you list, or the whole network?

So tcp 80 and tcp 443 is very clear, but a bit confused by "Port bd 3306" is that a tcp port, udp?

Also you call zone 1 internet, but on the drawing you show wan with rfc1918 address space? This is not internet ;) So pfsense wan IP is 192.168.1.3? is there stuff on 192.168.1.0/24 ?? That needs to talk to stuff on your network? You show block for all your zones to internet? Are we assuming these networks can talk to the pfsense interfaces on that segment, what ports? dns?

If pfsense wan is rfc1918, and you want http and https to talk to whatever this "Zone2: Fw Réseau:Pfsense " is? Is that 192.168.1.3?? What is forwarding this traffic to the rfc1918 address, is that really from the internet something has to forward that to the pfsense private address.

You say you want internet (z1) to talk to z2, and z2 can talk to z3 – do you really mean you want z1 to talk to z3? Is Z2 this 192.168.1.0/24 network?

Also a bit confused about your use of firewall symbol on other devices? Does that mean there is other network segments behind it?

Where is this DMZ greensql in your table? You have DMZ Vulture twice? Are the IPs you are showing the devices on these segments IP or pfsense IP? You show an admin box with 2.1, but then you show 2.1 on the that might be pfsense IP for that network segment?

edit:
So I drew up your network with a few question marks. Can you fill them in so we are clear. See attached - also from looking up vulture its french didn't see english but take it is your WEBSSO (web single signon) And looking at greensql, this looks to be a firewall for sql servers. So your http talks to this greensq box, which in turn talks to your DB server. If you can clear up the IPs I can show you example of how I would do this. But I would think web needs to be able to talk to vulture, not vulture talking to web srv.

pfsensethread.jpg_thumb

henze

zone2 : FW Réseau Pfsense ; I mean the interface 192.168.1.3 ( not to forget that i work widh Vityual machine ;) 192.168.1.1 is the interface of my router in my house
dmz web : where i have my website hosted
to access to database the port should be 3306 (Mysql database )
Zone 1 : ineternet . I mean the traffic that comes from my router
I want to explain otherwise; I HOSTED a website (in web dmz) so I put a firewall Vulture that his role to protect my application ( it is located in dmz vulture) so whatever Requette to enter to my website :

pfsense transfer the Taffic from my physical machine ( 192.168.1.0 /24 ) to dmz vulture(192.168.205.1 )
after some rules by vulture so sending traffic to dmzWeb (pfsense who transfer traffic from dmz vulture to dmzweb )
if the request wants need to access to the database so from dmz web to dmzGreensql (it is firewall iof database that analyzes Requette and transfer to the dmz bd.) . Also Pfsense who takes transfer this traffic.

I hope that u will understand what i mean exactly

johnpoz

see my edit - added picture.

So is vulture just SSO or is it a reverse proxy?

henze

yes your picture it is coorect and tha's what i mean exactly . now just to make the rules for the traffic as i told you before in the flow matiw
Vulture is an application firewall effectively protecting Web applications.
Based on Reverse Proxy technology, Vulture is barrier between applications and the outside world.

henze

for your question X.X.X. ? i use DHCP so it takes ip automaticly

johnpoz

That is NOT a good idea for something your going to be using as proxy ;) Servers should always have the same address - set a reservation if you want. For starters its easier to right the rule(s) if you know what IPs to send all to and from.

henze

So how can i configure ? can u explain to me please :) thanks for all your answer

johnpoz

Well in pfsense just set a IP via its mac (reservation or sometimes known as static dhcp), or on the machine itself just set a static.

Go to the bottom of the page for your dhcp server and set static

See for example her are mine for my lan segment

reservations.png_thumb

henze

yes i understand but my problem until now is how to work widh traffic !
how to configure pfsense and traffic management as the architecture which I sent to you
what i should do in the interface from interface Zone1 , Interface …..................... Zone 7

johnpoz

Well from z1 to whatever proxy you would create a port forward to the reverse proxy. Then from that zone you would create a rule that allows that reverse proxy to talk to where you want it to talk.

So for example port forward port 80 to your reverse proxy, then from that interface create rule that allows its IP to talk to the IP of your webserver on port 80 I would assume. This is going to end up quite convoluted.. I have to read up on the 2 softwares you wanting to use - do they normally have more than 1 interface. Your hairpin'ing these connections - connection goes back out the same interface it came in. One Arm Bandit is another term for this, etc.

I can draw up the rules when I get a chance - but having some IPs to work with will make it clearer and easier to understand.

henze

thank you for all :) Good man

henze

hello ,
i try to make these rules but i didn't work like as i want
can u show me a capture screen for some zone ( wan , dmz vulture, dmz web, dmz Greensql …. )
thanks

johnpoz

Do you have IPs yet? Or do you want me to jut make them to the whole zone?

Ok lets call your vulture box 192.168.206.100 because you need an IP to forward too.

Ok so this is clean pfsense out of the box.. I setup the interfaces to reflect your Zone numbers. Per my drawing, notice no Z1 because that is the internet.. Keep in mind you will have to forward 80 to your pfsense WAN IP.. 192.168.1.x in your drawing.

So see the attachements, you have your default rules out of the gate.. Nothing on wan, or any of your other segments. Only the first lan segment has a any any rule by default. This works and does not need to be changed. This is where you admin station is.

Now you need to create your nat (port forward) to your vulture reverse proxy. This creates wan rule to allow that traffic - lets say vulture box is 206.100

You then allow vult to talk to your web server network
You then allow web to talk to green (db proxy).
You then allow green to talk to db.

This is a pretty convoluted setup and pretty pointless if you ask me.. Your hairpinning a lot of connections. Since your proxies only have 1 interface? If you had the ports and the IP we could lock the rules down more. But the below rules allow traffic between the segments as I understand what you want to do. TCP only..

Keep in mind there is no rules to allow any sort of dns.. So not sure how your boxes are resolving other devices they need to get to.. If pfsense is going to have all the fqdn you need to resolve then you would need rules on all the interfaces to all dns 53 (tcp/udp) to the pfsense interface on that segment. But with all your proxy use, I would assume your pointing directly to IP, etc.

I would never set it up like this.. I would put my reverse proxies in the "dmz" lets call it dmz external. Then with another interface on these proxies I would put those in say a dmz internal segment. This prevents the hairpinning, creates less segments.

Lan_z7.png_thumb

Wan_Z2-everyotherzone.png_thumb

toproxy.png_thumb

wanruleallowproxyaccess.png_thumb

vulttoweb.png_thumb

webtogreen.png_thumb

greentodb.png_thumb

henze

thanks ;
in each mdz (zone ) i have just one . for example in dmzWeb i had ( 192.168.206.2 : url of my web application ) , dmz vulture ( just the proxy vulture which had an ip 192.168.205.131 ) .
the reverse proxy had a listening interface 192.168.205.131 and it connects to the webapplication ( 192.168.206.2 )
for all the dmz i use DHCP ! is it correct or i should put an appointed adress because in this zone just i have one ?
in my architecture did i need to work widh DNS ? i think no
for every zone i should let traffic to the net ? so how can i make this because some times if i need to modify the data so i should have access to internet from every zone .
after all rules ! i must block any any ?

johnpoz

Well to add to internet for each zone. Create an alias for your zones, and then create a rule that says ! alias (not). See my attached dmz rules, where I allow dmz to talk to my ntp server on lan. And next rule I allow it to go anywhere else it might want, as long as its not my local networks.

The put this rule below your allow rule for your zone you want allow. Rule go from top to bottom, first rule to trigger wins.

So if your vult box for example is going to your web zone - bam that rule hits an says allow/pass - there you go. If your say going to 8.8.8.8 (google dns) then that rule you have would not fire and default deny would block. If you have more rules below and one says hey you can go anywhere you want as long as NOT these networks (your local networks) then any IP in that segment would be able to go to 8.8.8.8 or anywhere else on the internet that does not = what is in your alias that you put a NOT on with !

aliasnotlocals.png_thumb

henze

i didn't understand what you say to me very good ( So if your vult box for example is going to your web zone - bam that rule hits an says allow/pass - there you go. If your say going to 8.8.8.8 (google dns) then that rule you have would not fire and default deny would block. If you have more rules below and one says hey you can go anywhere you want as long as NOT these networks (your local networks) then any IP in that segment would be able to go to 8.8.8.8 or anywhere else on the internet that does not = what is in your alias that you put a NOT on with ! )

i understand : for example for dmz vulture i create rules :* pass to dmz web ( acces to my web application )
*pass to alias (8.8.8.8 ) dns of google: widh this rule i can access to internet
*block any any

is these correct ? in this order ?