Failure of connected to the internet from the DMZ

johnpoz

see my edit - added picture.

So is vulture just SSO or is it a reverse proxy?

henze

yes your picture it is coorect and tha's what i mean exactly . now just to make the rules for the traffic as i told you before  in the flow matiw
Vulture is an application firewall effectively protecting Web applications.
Based on Reverse Proxy technology, Vulture is barrier between applications and the outside world.

henze

for your question  X.X.X. ? i use DHCP  so it takes ip automaticly

johnpoz

That is NOT a good idea for something your going to be using as proxy ;)  Servers should always have the same address - set a reservation if you want.  For starters its easier to right the rule(s) if you know what IPs to send all to and from.

henze

So how can i configure  ?  can u explain to me please  :) thanks for all your answer

johnpoz

Well in pfsense just set a IP via its mac (reservation or sometimes known as static dhcp), or on the machine itself just set a static.

Go to the bottom of the page for your dhcp server and set static

See for example her are mine for my lan segment

henze

yes i understand but my problem until now is how to work widh traffic !
how to configure pfsense and traffic management  as  the architecture which I sent to you
what i should do in the interface  from interface Zone1 , Interface …..................... Zone 7

johnpoz

Well from z1 to whatever proxy you would create a port forward to the reverse proxy.  Then from that zone you would create a rule that allows that reverse proxy to talk to where you want it to talk.

So for example port forward port 80 to your reverse proxy, then from that interface create rule that allows its IP to talk to the IP of your webserver on port 80 I would assume.  This is going to end up quite convoluted.. I have to read up on the 2 softwares you wanting to use - do they normally have more than 1 interface.  Your hairpin'ing these connections - connection goes back out the same interface it came in.  One Arm Bandit is another term for this, etc.

I can draw up the rules when I get a chance - but having some IPs to work with will make it clearer and easier to understand.

henze

thank you for all :)  Good man

henze

hello ,
i try to make these rules but  i didn't work like as i want
can u show me  a capture screen for some zone ( wan , dmz vulture, dmz web, dmz Greensql …. )
thanks

johnpoz

Do you have IPs yet?  Or do you want me to jut make them to the whole zone?

Ok lets call your vulture box 192.168.206.100 because you need an IP to forward too.

Ok so this is clean pfsense out of the box.. I setup the interfaces to reflect your Zone numbers.  Per my drawing, notice no Z1 because that is the internet.. Keep in mind you will have to forward 80 to your pfsense WAN IP..  192.168.1.x in your drawing.

So see the attachements, you have your default rules out of the gate.. Nothing on wan, or any of your other segments.  Only the first lan segment has a any any rule by default.  This works and does not need to be changed.  This is where you admin station is.

Now you need to create your nat (port forward) to your vulture reverse proxy.  This creates wan rule to allow that traffic - lets say vulture box is 206.100

You then allow vult to talk to your web server network
You then allow web to talk to green (db proxy).
You then allow green to talk to db.

This is a pretty convoluted setup and pretty pointless if you ask me..  Your hairpinning a lot of connections.  Since your proxies only have 1 interface?  If you had the ports and the IP we could lock the rules down more.  But the below rules allow traffic between the segments as I understand what you want to do.  TCP only..

Keep in mind there is no rules to allow any sort of dns.. So not sure how your boxes are resolving other devices they need to get to..  If pfsense is going to have all the fqdn you need to resolve then you would need rules on all the interfaces to all dns 53 (tcp/udp) to the pfsense interface on that segment.  But with all your proxy use, I would assume your pointing directly to IP, etc.

I would never set it up like this.. I would put my reverse proxies in the "dmz"  lets call it dmz external.  Then with another interface on these proxies I would put those in say a dmz internal segment.  This prevents the hairpinning, creates less segments.

henze

thanks ;
in each mdz (zone ) i have just one . for example in dmzWeb i had ( 192.168.206.2  : url of my web application ) , dmz vulture ( just the proxy vulture which had an ip 192.168.205.131 ) .
the reverse proxy had a listening interface 192.168.205.131 and it connects to the webapplication ( 192.168.206.2 ) 
for all the dmz i use DHCP ! is it correct or i should put an appointed adress because in this zone just i have one ?
in my architecture  did i need to work widh DNS ? i think no
for every zone i should let  traffic to the net ? so how can i make this because some times if i need to modify the data so i  should have access to internet from every zone .
after all rules ! i must block any any ?

johnpoz

Well to add to internet for each zone.  Create an alias for your zones, and then create a rule that says ! alias (not).  See my attached dmz rules, where I allow dmz to talk to my ntp server on lan.  And next rule I allow it to go anywhere else it might want, as long as its not my local networks.

The put this rule below your allow rule for your zone you want allow.  Rule go from top to bottom, first rule to trigger wins.

So if your vult box for example is going to your web zone - bam that rule hits an says allow/pass - there you go.  If your say going to 8.8.8.8 (google dns) then that rule you have would not fire and default deny would block.  If you have more rules below and one says hey you can go anywhere you want as long as NOT these networks (your local networks) then any IP in that segment would be able to go to 8.8.8.8 or anywhere else on the internet that does not = what is in your alias that you put a NOT on with !

henze

i didn't understand what you say to me very good ( So if your vult box for example is going to your web zone - bam that rule hits an says allow/pass - there you go.  If your say going to 8.8.8.8 (google dns) then that rule you have would not fire and default deny would block.  If you have more rules below and one says hey you can go anywhere you want as long as NOT these networks (your local networks) then any IP in that segment would be able to go to 8.8.8.8 or anywhere else on the internet that does not = what is in your alias that you put a NOT on with ! )

i understand : for example for dmz vulture i create rules :* pass to dmz web ( acces to my web application )
*pass to alias (8.8.8.8 ) dns of google: widh this rule i can access to internet
*block  any any

is these correct ? in this order ?

johnpoz

Dude, this is not rocket science here.. Create an alias that has your other networks in it – see my picture.

Put it after the rule that says it can go to the web zone.

Now it can not go to any of those networks because its ! rule, ie I only allow you to go pass, if its ! one of these networks.  Or you could create individual rules doing the same thing.

Keep in mind this is an example - you prob want to let it talk to your pfsense interface in that zone for dns.

henze

hello,
when i creat an alias how i can put after ! alias in the rules ?
i had fixe some ip  reverse proxy vulture 192.168.205.132
                              server web 192.168.206.2 
                              server database  192.168.11.2
                            server Greensql      192.168.10.2
after i make the configuration of the NAT like the picture that u send it to me
and itry to make rules from dmz vulture to dmz web  ( i disable rules that i made it before)
see here my attachements
But i cant' access no to dmz web no to internet

johnpoz

Where is a rule that lets it go to the internet?  All you hae there is go 8.8.4.4/27 – where you came up with /27??  That is there google dns address kind of ;)  But you don't allow dns - you only allow 80 and 443 tcp.  DNS would be 53 udp and tcp.

And you allow it to 1 public IP, but looks like you tried to call it a network - but .11/24 is a HOST address not a network address.. How and the hell would that be the internet?  And your double nat zone cable modem IP..  Again how would it go to say www.yahoo.com at

C:>ping www.yahoo.com

Pinging ds-any-fp3-real.wa1.b.yahoo.com [98.138.252.30] with 32 bytes of data:

For starters it can not look it in the first place, and then you have no rules allowing it to go to that IP even if it could look it up.

Click the NOT check box is how you get the ! to show up.

henze

Thanks a lot , now i had  configure it correctly .
Now i would like to access to my application ( Monapp.com ) from interface wan .  so i create also one virtual machine which had ( 192.168.1.50 /24 ) but i can't access  to my application !!
Note: i had put the NAT in the interface wan
what rules i should add it ?

johnpoz

And where are you trying to access it from. The internet - did you forward that on your other router?  So where is this VM, on your segment between your first nat and pfsense?

What IP are you trying to access from this client?  What do your forwards look like?

henze

all my work is in Vmware which i install pfsense and a machine for adminstrateur , machine for serverweb , a machine for server reverse proxy vulture, a machine for greenslq , a machine for server database ( Mysql )
and from pfsense i created 4 segemnts : dmzweb,dmzvulture,dmzgreensql,dmzbd, and sure i had  lan (administrateur )  and inetface wan .
now i would like to access to my application from the interface wan . so i had install other machine in the same vmware and for network i use virtual network the same for wan
wan (192.168.1.3/24)
newmachine(192.168.1.50 /24)
iwould like from this new machine i can access to my application ( Monapp.com )