Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SG-2100 DMZ for home cloud

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    23 Posts 3 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sean 0
      last edited by

      I am having difficulty configuring my sg-2100 to be able to host a personal webserver. Ideally it would be in a dmz, but from my understanding a "true" dmz is not possible on the sg-2100 switch. How do I configure it? Is it an assignment such as a bridge or the other available options? pfsense.PNG pfsense1.PNG
      Or is it part of the switch/vlan settings?

      I wont be hosting a website, and have a url for a private workserver.

      bingo600B S 2 Replies Last reply Reply Quote 0
      • bingo600B
        bingo600 @Sean 0
        last edited by bingo600

        @sean-0
        I'm not a 2100' expert , but you might also want to poivide the below info.

        Should the webserver be accessible from outside (internet) , or is it internal/local access only ?

        If you find my answer useful - Please give the post a 👍 - "thumbs up"

        pfSense+ 23.05.1 (ZFS)

        QOTOM-Q355G4 Quad Lan.
        CPU  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
        LAN  : 4 x Intel 211, Disk  : 240G SAMSUNG MZ7L3240HCHQ SSD

        1 Reply Last reply Reply Quote 1
        • S
          Sean 0
          last edited by

          @bingo600 Whoops! Yes, I purchased a URL for access outside the LAN but behind a firewall; I believe the SG-2100 is not the most "plug and play" secure device to use for this. I will most likely route traffic through a reverse proxy and VPN for security.

          It is the DMZ I can't seem to figure out, there's only one WAN port but from my understanding I can isolate one of the switch ports for a DMZ. There's no consistency in articles for how to accomplish this.

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @Sean 0
            last edited by

            @sean-0 said in SG-2100 DMZ for home cloud:

            isolate one of the switch ports for a DMZ

            Did you find the docs on this?

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            S 1 Reply Last reply Reply Quote 0
            • S
              Sean 0 @SteveITS
              last edited by

              @steveits I found the general dmz docs, I don't know how to set up the vlan/switch so only one port is treated as a dmz.

              S 1 Reply Last reply Reply Quote 0
              • S
                SteveITS Galactic Empire @Sean 0
                last edited by

                @sean-0 The link I posted walks one through setting up the LAN switch ports as VLANs so they behave as discrete interfaces. Then the web server plugs into that port and it's on its own network. Am I misunderstanding the goal?

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                S 1 Reply Last reply Reply Quote 0
                • S
                  Sean 0 @SteveITS
                  last edited by

                  @SteveITS The parent interface would be the WAN for the vlan, correct? The webserver should be isolated, removing the port numbers that are not connected to the webserver. This way the server can connect to a dns. I am not experienced with pfsense, so this would be my guess.

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @Sean 0
                    last edited by

                    No, if the web server is in the WAN network there is no need for configuration in the router since it would be outside the router.

                    Typically one would set up let's say LAN port 4 on the router to be its own interface (in this case via a VLAN since they are not independent hardware ports) and then the web server plugs into port 4. It has its own network, WANIP:443 can be NATted to webserver:443, and it is isolated from the PCs on LAN. So one would end up with something like:

                    WAN: public IP
                    LAN: 10.0.0.0/24
                    OPT1 using VLAN: 192.168.1.0/24

                    The web server could then be 192.168.1.2, its gateway the router at 192.168.1.1. NAT redirection is set up from WAN:443 to 192.168.1.2:443. PCs on LAN browse to it at 192.168.1.2, or NAT reflection using the WAN IP.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    S 2 Replies Last reply Reply Quote 1
                    • S
                      Sean 0 @SteveITS
                      last edited by

                      @steveits said in SG-2100 DMZ for home cloud:

                      Typically one would set up let's say LAN port 4 on the router to be its own interface (in this case via a VLAN since they are not independent hardware ports) and then the web server plugs into port 4. It has its own network, WANIP:443 can be NATted to webserver:443, and it is isolated from the PCs on LAN. So one would end up with something like:

                      WAN: public IP
                      LAN: 10.0.0.0/24
                      OPT1 using VLAN: 192.168.1.0/24

                      The web server could then be 192.168.1.2, its gateway the router at 192.168.1.1. NAT redirection is set up from WAN:443 to 192.168.1.2:443. PCs on LAN browse to it at 192.168.1.2, or NAT reflection using the WAN IP.

                      How do I specify the vlan switch port? What type of NAT rule is that?

                      Port Forward | 1:1 | Outbound (where wan is) | NPt

                      The vlan isn't listed as an interface, and because it is dchp, I'm not sure how the server is specified in that connection.

                      Thanks for the help. I'm much farther because of it.

                      S 1 Reply Last reply Reply Quote 0
                      • S
                        SteveITS Galactic Empire @Sean 0
                        last edited by

                        1:1 NAT is for mapping a specific (not the primary) WAN IP to an internal IP.

                        If you just have one public IP then set up a regular NAT for destination WAN IP, port 443 redirected to your server's private IP port 443.

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote 👍 helpful posts!

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          Sean 0 @SteveITS
                          last edited by

                          @steveits Is a port forward considered a regular NAT?

                          1 Reply Last reply Reply Quote 0
                          • S
                            Sean 0 @SteveITS
                            last edited by

                            @steveits said in SG-2100 DMZ for home cloud:
                            . It has its own network, WANIP:443 can be NATted to webserver:443, and it is isolated from the PCs on LAN. So one would end up with something like:

                            WAN: public IP
                            LAN: 10.0.0.0/24
                            OPT1 using VLAN: 192.168.1.0/24

                            The web server could then be 192.168.1.2, its gateway the router at 192.168.1.1. NAT redirection is set up from WAN:443 to 192.168.1.2:443. PCs on LAN browse to it at 192.168.1.2, or NAT reflection using the WAN IP.

                            Wouldn't 192.168.1.2 be under the lan network when we are creating a seperate vlan switch connected to the wan? I put in 192.168.100.1 to get is to work, but that's not the ip address of the server so I am figuring it out as I go.

                            S S 2 Replies Last reply Reply Quote 0
                            • S
                              Sean 0 @Sean 0
                              last edited by

                              @SteveITS Ok so I did something. When I type in the opt IP it takes me to the firewall dchp, this can't be right.

                              1 Reply Last reply Reply Quote 0
                              • S
                                SteveITS Galactic Empire @Sean 0
                                last edited by

                                @sean-0 said in SG-2100 DMZ for home cloud:

                                Wouldn't 192.168.1.2 be under the lan network

                                Don't know, you have to tell us. :) What is the IP of the web server? You should end up with something like this on the NAT port forward:
                                ee613e4e-5c14-4eba-bc23-5767e1c04c3c-image.png

                                @sean-0 said in SG-2100 DMZ for home cloud:

                                it takes me to the firewall dchp

                                Not sure what that means...pfSense's web page? That would be if you're browsing to an IP on the pfSense.

                                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                Upvote 👍 helpful posts!

                                S 2 Replies Last reply Reply Quote 0
                                • S
                                  Sean 0 @SteveITS
                                  last edited by

                                  @steveits I am creating a subnet in the process. I stumbling through the ip routing/network setup. 192.168.1.1 is the pfsense router/firewall ip. So at somepoint a static ip has to transcribe to the vlan ip. I am considering using haproxy, I believe this would add security and I wouldn't have to change the dchp server setup

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Sean 0 @SteveITS
                                    last edited by

                                    @steveits How would I determine the webserver IP, it is currently a dchp server... do i need to convert to static or can I reverse proxy?

                                    S 1 Reply Last reply Reply Quote 0
                                    • S
                                      SteveITS Galactic Empire @Sean 0
                                      last edited by

                                      For NAT to work it directs to a specific IP so the web server either needs a static IP or a DHCP reservation. If it's DHCP it will work until the web server happens to get a different IP for some reason.

                                      As far as determining the IP what is the OS of the web server? (run "ipconfig" for Windows or "ip a l" or whatever) If it's getting DHCP from pfSense it would be shown in the DHCP status page.

                                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                      Upvote 👍 helpful posts!

                                      S 2 Replies Last reply Reply Quote 0
                                      • S
                                        Sean 0 @SteveITS
                                        last edited by

                                        This post is deleted!
                                        S 1 Reply Last reply Reply Quote 0
                                        • S
                                          Sean 0 @Sean 0
                                          last edited by

                                          @steveits Its ubuntu live server running apache, but the ip seems off. It doesn't match the ip I entered following the vlan guide. Reverse proxy will solve any dchp potential issues, once configured correctly. My set up matches your picture. I need to accomplish:
                                          Firewall setup.PNG

                                          S 1 Reply Last reply Reply Quote 0
                                          • S
                                            Sean 0 @Sean 0
                                            last edited by

                                            partial success.PNG
                                            The server is showing, I can't seem to figure out how to set the trusted domain properly, I have entered as many as I can find.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.