Firewall public routing



  • Hello everybody,

    I would like to use the firewall to put it in front of a public server. This server should continue to be accessible via the public IP (ie no NAT / PAT).

    The firewall must be installed and operated on a VM (other site & other network).
    Do I have to enter the public IP address of the server in the firewall instead of the internal IP address and change the gateway to the IP address of the VM at the server?

    Greetings :)


  • LAYER 8 Global Moderator

    And is this public IP routed to you? So you could put it behind a router? If its not routed and you don't want to nat, then the only option is to use transparent firewall setup.



  • Ok. Then i need to setup the transparent mode.
    Have you any good instructions?

    I just found this: https://community.adamnet.works/hc/en-us/articles/115002725594-Running-on-a-Transparent-pfSense-Bridge

    I never before setup a transparent firewall.


  • LAYER 8 Global Moderator

    And there is little reason to do so - why is it do you feel you can not put this server behind a nat? Use 1:1 if you what the box fully exposed..

    But there is little reason to be honest for the box to be on a public IP directly..



  • Unfortunately, I have no influence on the routing.
    Basically, I have the following:

    Server in country A has a public IP.
    pfSense is in country B.
    Now I would like to see that the server is routed through the pfSense. Say everything, what goes in and out goes through the FW.
    For example, I would like to use the pfBlockerNG NextGen feature there. The rules would be any <-> any first.

    Would that be possible? Transparent bridge or similar?
    Best regards and thank you! :)



  • @johnpoz said in Firewall public routing:

    And there is little reason to do so - why is it do you feel you can not put this server behind a nat? Use 1:1 if you what the box fully exposed..

    But there is little reason to be honest for the box to be on a public IP directly..

    Why use NAT at all, when not needed? It's a curse on networking. As for security, there's nothing NAT can do that a properly configured firwall can't.

    BTW, I'm allergic to NAT. 😉



  • Do you have any idea how to realize my scenario?


  • Netgate Administrator

    Um.. so the pfSense instance you are referring to is in an entirely different country?

    You have no way to put pfSense directly in front of it?

    You could tunnel traffic from the server to the remote pfSense and filter it there but traffic going to/from the server is going to have to go via the pfSense public IP to make that work. Unless I'm misunderstanding the situation?

    Steve



  • @stephenw10 said in Firewall public routing:

    Um.. so the pfSense instance you are referring to is in an entirely different country?

    Yes, you're right.

    @stephenw10 said in Firewall public routing:

    You have no way to put pfSense directly in front of it?

    No, unfortunately not.

    @stephenw10 said in Firewall public routing:

    You could tunnel traffic from the server to the remote pfSense and filter it there but traffic going to/from the server is going to have to go via the pfSense public IP to make that work.

    That sounds very good. However, I've only worked with local networks so far. How do I have to configure pfSense to use it?


  • Netgate Administrator

    Hmm, well you would first need to configure a tunnel from the server to pfSense. That could be a number of things but an OpenVPN tunnel is probably the easiest to work with in pfSense. Then configure the server to listen on the VPN tunnel address and forward queries to it over the tunnel in pfSense.

    Is there some reason you're doing this? There might be a much better solution if we knew what you are trying to workaround with this setup.
    If you can't install pfSense in front of the server can you just move the server to behind pfSense for example?

    Steve



  • Yes, I'll give you absolutely right.
    I'm just testing out a few things and now I'm in front of this situation that I would like to route a VPS with a public IP address in another location via the pfSense (as a virtual solution) in order to be able to use the pfBlockerNG, among other things.
    However, the VPS should continue to be reachable via its public IP address and not via NAT.

    My real motivation for this scenario is that I would like to use some functions of pfSense, but I want to avoid NAT, because the server should continue to be reachable via its public IP address.

    In the solution with the VPN tunnel, I would basically only need to configure a forwarding, or am I wrong?


  • Netgate Administrator

    I can't see any rational way to do that and have the server still respond on it's own public IP.

    pfSense can't respond on that IP so the VPS would have to redirect all traffic arriving to pfSense, via some tunnel, to be filtered and then send back!

    It would be easier, if you need to use the VPS public IP, to install pfSense there and host the server somewhere completely different. But really hosting both in the same location is a far better solution.

    Steve



  • @stephenw10 said in Firewall public routing:

    It would be easier, if you need to use the VPS public IP, to install pfSense there and host the server somewhere completely different.

    What do you mean?


  • Netgate Administrator

    You have two sites with two public IPs right? You can only have one VM at each so if you need pfSense to accept traffic on the IP the server is using currently it would easier to just put pfSense there and have it filter and forward requests to the other site where you can host the server.
    It's not a great option but it's the only way I could see it working realistically.

    Steve


Log in to reply