SG-2100 DMZ for home cloud

Sean 0

@steveits said in SG-2100 DMZ for home cloud:
. It has its own network, WANIP:443 can be NATted to webserver:443, and it is isolated from the PCs on LAN. So one would end up with something like:

WAN: public IP
LAN: 10.0.0.0/24
OPT1 using VLAN: 192.168.1.0/24

The web server could then be 192.168.1.2, its gateway the router at 192.168.1.1. NAT redirection is set up from WAN:443 to 192.168.1.2:443. PCs on LAN browse to it at 192.168.1.2, or NAT reflection using the WAN IP.

Wouldn't 192.168.1.2 be under the lan network when we are creating a seperate vlan switch connected to the wan? I put in 192.168.100.1 to get is to work, but that's not the ip address of the server so I am figuring it out as I go.

Sean 0

@SteveITS Ok so I did something. When I type in the opt IP it takes me to the firewall dchp, this can't be right.

SteveITS

@sean-0 said in SG-2100 DMZ for home cloud:

Wouldn't 192.168.1.2 be under the lan network

Don't know, you have to tell us. :) What is the IP of the web server? You should end up with something like this on the NAT port forward:

@sean-0 said in SG-2100 DMZ for home cloud:

it takes me to the firewall dchp

Not sure what that means...pfSense's web page? That would be if you're browsing to an IP on the pfSense.

Sean 0

@steveits I am creating a subnet in the process. I stumbling through the ip routing/network setup. 192.168.1.1 is the pfsense router/firewall ip. So at somepoint a static ip has to transcribe to the vlan ip. I am considering using haproxy, I believe this would add security and I wouldn't have to change the dchp server setup

Sean 0

@steveits How would I determine the webserver IP, it is currently a dchp server... do i need to convert to static or can I reverse proxy?

SteveITS

For NAT to work it directs to a specific IP so the web server either needs a static IP or a DHCP reservation. If it's DHCP it will work until the web server happens to get a different IP for some reason.

As far as determining the IP what is the OS of the web server? (run "ipconfig" for Windows or "ip a l" or whatever) If it's getting DHCP from pfSense it would be shown in the DHCP status page.

Sean 0

This post is deleted!

Sean 0

@steveits Its ubuntu live server running apache, but the ip seems off. It doesn't match the ip I entered following the vlan guide. Reverse proxy will solve any dchp potential issues, once configured correctly. My set up matches your picture. I need to accomplish:
Firewall setup.PNG

Sean 0

partial success.PNG
The server is showing, I can't seem to figure out how to set the trusted domain properly, I have entered as many as I can find.

SteveITS

The end of the doc I posted above mentions "You should also enable DHCP if necessary, by going to Services > DHCP Server > OPT1 (for the example above)." If you didn't do that you'll need to set a static IP on the web sever.

re: untrusted domain, is that what shows in your browser when you connect to the web server? If you're using HTTPS you'll either need a certificate matching the hostname you're using to connect to it, or you'll need to ignore the certificate warning. That's not a pfSense issue.

Sean 0

@steveits I got it working on lan. Now I'll have to figure out wan so I can Isolate the server via vlan switch

Sean 0

@SteveITS After isolating the vlan on the switch, I had to configure a static IP, and now must configure for the WAN access. Would you know anything about this?