SG-2100 DMZ for home cloud
-
I am having difficulty configuring my sg-2100 to be able to host a personal webserver. Ideally it would be in a dmz, but from my understanding a "true" dmz is not possible on the sg-2100 switch. How do I configure it? Is it an assignment such as a bridge or the other available options?
Or is it part of the switch/vlan settings?I wont be hosting a website, and have a url for a private workserver.
-
@sean-0
I'm not a 2100' expert , but you might also want to poivide the below info.Should the webserver be accessible from outside (internet) , or is it internal/local access only ?
-
@bingo600 Whoops! Yes, I purchased a URL for access outside the LAN but behind a firewall; I believe the SG-2100 is not the most "plug and play" secure device to use for this. I will most likely route traffic through a reverse proxy and VPN for security.
It is the DMZ I can't seem to figure out, there's only one WAN port but from my understanding I can isolate one of the switch ports for a DMZ. There's no consistency in articles for how to accomplish this.
-
@sean-0 said in SG-2100 DMZ for home cloud:
isolate one of the switch ports for a DMZ
Did you find the docs on this?
-
@steveits I found the general dmz docs, I don't know how to set up the vlan/switch so only one port is treated as a dmz.
-
@sean-0 The link I posted walks one through setting up the LAN switch ports as VLANs so they behave as discrete interfaces. Then the web server plugs into that port and it's on its own network. Am I misunderstanding the goal?
-
@SteveITS The parent interface would be the WAN for the vlan, correct? The webserver should be isolated, removing the port numbers that are not connected to the webserver. This way the server can connect to a dns. I am not experienced with pfsense, so this would be my guess.
-
No, if the web server is in the WAN network there is no need for configuration in the router since it would be outside the router.
Typically one would set up let's say LAN port 4 on the router to be its own interface (in this case via a VLAN since they are not independent hardware ports) and then the web server plugs into port 4. It has its own network, WANIP:443 can be NATted to webserver:443, and it is isolated from the PCs on LAN. So one would end up with something like:
WAN: public IP
LAN: 10.0.0.0/24
OPT1 using VLAN: 192.168.1.0/24The web server could then be 192.168.1.2, its gateway the router at 192.168.1.1. NAT redirection is set up from WAN:443 to 192.168.1.2:443. PCs on LAN browse to it at 192.168.1.2, or NAT reflection using the WAN IP.
-
@steveits said in SG-2100 DMZ for home cloud:
Typically one would set up let's say LAN port 4 on the router to be its own interface (in this case via a VLAN since they are not independent hardware ports) and then the web server plugs into port 4. It has its own network, WANIP:443 can be NATted to webserver:443, and it is isolated from the PCs on LAN. So one would end up with something like:
WAN: public IP
LAN: 10.0.0.0/24
OPT1 using VLAN: 192.168.1.0/24The web server could then be 192.168.1.2, its gateway the router at 192.168.1.1. NAT redirection is set up from WAN:443 to 192.168.1.2:443. PCs on LAN browse to it at 192.168.1.2, or NAT reflection using the WAN IP.
How do I specify the vlan switch port? What type of NAT rule is that?
Port Forward | 1:1 | Outbound (where wan is) | NPt
The vlan isn't listed as an interface, and because it is dchp, I'm not sure how the server is specified in that connection.
Thanks for the help. I'm much farther because of it.
-
1:1 NAT is for mapping a specific (not the primary) WAN IP to an internal IP.
If you just have one public IP then set up a regular NAT for destination WAN IP, port 443 redirected to your server's private IP port 443.
-
@steveits Is a port forward considered a regular NAT?
-
@steveits said in SG-2100 DMZ for home cloud:
. It has its own network, WANIP:443 can be NATted to webserver:443, and it is isolated from the PCs on LAN. So one would end up with something like:WAN: public IP
LAN: 10.0.0.0/24
OPT1 using VLAN: 192.168.1.0/24The web server could then be 192.168.1.2, its gateway the router at 192.168.1.1. NAT redirection is set up from WAN:443 to 192.168.1.2:443. PCs on LAN browse to it at 192.168.1.2, or NAT reflection using the WAN IP.
Wouldn't 192.168.1.2 be under the lan network when we are creating a seperate vlan switch connected to the wan? I put in 192.168.100.1 to get is to work, but that's not the ip address of the server so I am figuring it out as I go.
-
@SteveITS Ok so I did something. When I type in the opt IP it takes me to the firewall dchp, this can't be right.
-
@sean-0 said in SG-2100 DMZ for home cloud:
Wouldn't 192.168.1.2 be under the lan network
Don't know, you have to tell us. :) What is the IP of the web server? You should end up with something like this on the NAT port forward:
@sean-0 said in SG-2100 DMZ for home cloud:
it takes me to the firewall dchp
Not sure what that means...pfSense's web page? That would be if you're browsing to an IP on the pfSense.
-
@steveits I am creating a subnet in the process. I stumbling through the ip routing/network setup. 192.168.1.1 is the pfsense router/firewall ip. So at somepoint a static ip has to transcribe to the vlan ip. I am considering using haproxy, I believe this would add security and I wouldn't have to change the dchp server setup
-
@steveits How would I determine the webserver IP, it is currently a dchp server... do i need to convert to static or can I reverse proxy?
-
For NAT to work it directs to a specific IP so the web server either needs a static IP or a DHCP reservation. If it's DHCP it will work until the web server happens to get a different IP for some reason.
As far as determining the IP what is the OS of the web server? (run "ipconfig" for Windows or "ip a l" or whatever) If it's getting DHCP from pfSense it would be shown in the DHCP status page.
-
This post is deleted! -
@steveits Its ubuntu live server running apache, but the ip seems off. It doesn't match the ip I entered following the vlan guide. Reverse proxy will solve any dchp potential issues, once configured correctly. My set up matches your picture. I need to accomplish:
-
The server is showing, I can't seem to figure out how to set the trusted domain properly, I have entered as many as I can find.
