2 WANs, DMZ and one LAN
I'm trying to set up a pfsense box that contains both the LAN for my clients and It must contain a DMZ for some services that we want to publish outside. For that, we have 2 routers, one of then contains a fixed IP while the other contains a dynamic IP address. Currently I'm using a quar port broadcom card, the setup is the following:
ETH1 is connected to the WAN_LAN (Wan with dynamic IP)
ETH2 is connected to the WAN_DMZ (Wan with static IP)
ETH3 is connected to the LAN, this is, to a 48 port switch where APs and clients are connected, the IP adress is of type 172.26.0.x
ETH4 is currently free
Pfsense is also configured as DHCP server, so clients in ETH3 can connect to the internet
The idea is that:
- Open some ports in WAN_DMZ so that some internal services are exposed
- I can, using one of the clients connected to the LAN, connect to the DMZ service machines for maintenance
- from WAN_DMZ there is no way to access to our clients in LAN
- WAN_LAN is just for internet access, no service is exposed there, also the ISP changes the exposed IP time to time
Please give me a resume with the setup, I've never setup a DMZ.
Setup the dmz like another lan on eth4. Use forwards from wan2 for services. Use rules on the dmzlan interface to restrict traffic.
Ok, I have only one switch, hopefully It's a good one, a cisco, managed switch, so should I set up the switch with different vlans?, if so, which ip ranges can I give to this landmz?
You can create a vlan on the switch and set several ports native to that vlan. This will effectively divide the switch. You can give the interface any rfc1918 address you want, like a 10.x.x.x
I finally got a little bit of time to set up this thing. Currently I can't get It to work properly.
This is what I want, but maybe I'm wrong!, if so please correct me and tell me a better way to setup my configuration:
ETH1 is connected to the WAN_LAN (Wan with dynamic IP), It uses PPPoE to get a dynamic IP from my ISP provider, It changes once every week or so
ETH2 is connected to the WAN_DMZ, It uses PPPoE to get a static IP from my ISP provider.
The IP for this interface is static, the subnet mask is 255.255.255.255 as you can imagine, and there is a gateway: 22.214.171.124 that It's provided to get access to the internet
ETH3 is connected to the LAN, this one uses an rfc1918 ip: 172.26.0.xxx DHCP server is there, but also we have some computers using static IP. Everything works using this interface
ETH4 is the problematic port, LAN_DMZ: I want to use also an rfc1918 ip: 10.90.91.xxx DHCP server is there, but also I want to set some machines using static IP.
In the gateways section, PPPOE_WAN is selected as default, so my LAN is working.
if I plug a device into my LAN_DMZ, I got an IP, because I did setup a DHCP server, but I am not able to get internet access.
There is something that I'm missing: routes, rules or something (I'm not an expert, sorry). what I want is that LAN_DMZ uses the static WAN, because later I will do a port forwarding to access to my services here. I don't know how to assign the gateway to the DMZ to get access outside.
Could you please explain me what am I missing here? basically I want to redirect the traffic using LAN_DMZ to WAN_DMZ.
Verify you have a rule on LAN_DMZ like the one on LAN to allow traffic out. Also check outbound nat- I recommend leaving it on automatic mode. You should see automatic rules for WAN_LAN and WAN_DMZ with source 172.26.0.0 and 10.90.91.0
I found the problem, and It was not easy, under firewall -> rules, you have to edit (or create) the rule "default allow LAN to any rule", this one is created in the default LAN by default, either copy the data or create a new one based on that one, but this one is for the second LAN, for my example, the LAN_DMZ, and here is where the tricky part comes: you have to display the advanced options, and there almost at the end there is the possibility to specify the gateway:
Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.
Gateway selection is not valid for "IPV4+IPV6" address family.
For my example I put as gateway the WAN_DMZ, as this WAN is dedicated to our external services, so all the traffic in this LAN will be redirected to that WAN interface.
The rest is to add a rule so from LAN1 I can manage the machines in the LAN_DMZ (for maintenance purposes).
Now a port fordwarding will map the selected port from the outside to the port from the machines in the LAN_DMZ. Another tricky point is that the access from the WAN_DMZ work but if you try to access to the public IP address in the WAN_DMZ from inside the LANs, It will fail. For that you have to add another rule to redirect the traffic, this time from the LAN instead of the WAN_DMZ. This happens because the external IP address is transformed (NAT) to the internal IP addess, and there is no rule to access to the port that It's mapped to access the service from the outside.
This means, you have to MAP from WAN_DMZ 8080 -> your host 80 but also from LAN1 8080 (self firewall) to your host 80.
With these two rules and the trick option for selecting the gateway the work was done and everything works as expected.