Pfsense wan dmz apache vhosts public ips

Understudy

Hi All,

I am coming across something that seems to be a bit hard to nail down. I have created a pfsense server with some equipment I have. So I have set up a WAN, LAN, and DMZ nic setup. Please note all IPs behind DMZ are static. DHCPD is only on LAN interface for interoffice setups.

Wan Public IP interface xxx.xxx.xxx.87/32
Lan Private IP interface 192.168.1.1/24
DMZ Public IP interface xxx.xxx.xxx.94/29
Gateway is xxx.xxx.xxx.81 and outside of range.

DNS is setup on a remote server provided by hosting company.

Server 1 behind DMZ xxx.xxx.xxx.93 is a web server with apache and vhosts (several websites one ip on server with apache virtual hosting). Ports used are http, https, ssh, ftp( when made active), icmp.

Server 2 behind DMZ xxx.xxx.xxx.92 is a file storage server that is accessed via ssh

Server 3 behind DMZ xxx.xxx.xxx.91 is a backup server that is accessed via ssh.

Switch 1 behind DMZ xxx.xxx.xxx.88 is a managed switch that is access via ssh.

Here is where things get fun. I am not doing nat. The public IPs are on the servers and should remain as such. I am not port forwarding as the ports do not need to be forwarded.

I have seen everything on how to set this up if you nat or run a private ip range on the DMZ . Everything except what happens when you have public IPs on the servers.

So my guess is from what I have read is the following:

WAN set firewall rules
pass icmp echoreq
pass 21 ftp tcp (server turns this off when not needed)
pass ssh 22 tcp
pass dns 53 tcp/udp
pass http 80 tcp
pass https 443 tcp

the temp ports on some setups
pass 81 tcp
pass 8080 tcp

Currently there are no separate vlans behind the DMZ and no special connections to the LAN from the DMZ. I will deal with that later.

Question 1
Will this work for making sure the servers can be seen on the internet?

Question 2
Do I need to do anything with DNS in pfsense to make sure the servers are accessible to the web?

Thank you in advance for your help in this matter.

If this post needs to be formatted differently please let me know and I will correct it.

stephenw10

Do those xxx.xxx.xxx all represent the same prefix?

.88 is the network address for that /29 and should not be used directly like that. .89 is the first usable address.

That will work as long as your provider is routing xxx.xxx.xxx.88/29 to you via xxx.xxx.xxx.87

If they have simply provided a /29 sized range of IPs on the WAN directly then you would have to bridge WAN and DMZ or use VIPs and port forwards.

See: https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html#additional-static-ip-addresses

Steve

Understudy

@stephenw10

Thank you for the reply.

Yes, the xxx.xxx.xxx. all represent the same prefix but I only receive the /29 range based on the last octet.

The .87 IP address was to give the WAN it's own IP
The .94 is a /29 that does not include the .87 which is a /32

Because the WAN and the DMZ can't be on the same subnet.

Error received when that attempt was made.
The following input errors were detected:

IPv4 address xxx.xxx.xxx.88/29 is being used by or overlaps with: DMZ (xxx.xxx.xxx.94/29)
This IPv4 address is the network address and cannot be used

I appreciate the link. This is what I was reading in the documents.
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html

And the section titled IP assignments is where I got my information from. Along with the part about hybrid NAT but that is for outbound traffic.

I see your link it says

To assign public IP addresses directly to hosts behind the firewall, a dedicated interface for those hosts must be bridged to WAN.

So I am going to go with that. I mean if I am wrong I come back and grovel for more information. Thank you for your help I post a reply to let you and everyone know what happens.

Again, thank you for the help I appreciate it.

stephenw10

@understudy said in Pfsense wan dmz apache vhosts public ips:

To assign public IP addresses directly to hosts behind the firewall, a dedicated interface for those hosts must be bridged to WAN.
So I am going to go with that.

If your ISP is routing the /29 to you via the /32 WAN address then you don't need to bridge. And avoiding bridges is almost always preferable!

It's unclear to me what IPs or subnets you actually have. What info has your provider actually given you?

Steve

Understudy

@stephenw10

The ISP has it's gateway of .81
I originally just had an IP of .87
Then I got the range from .88 to .94 I don't believe anything was said about routing the range through .87 . It is just legacy from when I first starting using them. The .87 is a /32 so it is alone
The range is .88-94/29 And that should all look for .81 (gateway) Which so far it has been doing.

I chose to use the .87 for the WAN because it was a stand alone. The range .94/29 for the DMZ because it was a seemingly sensible idea setup.

If I can avoid the bridge that would be great. So I will take any further advice, comments, or helpful links you can provide.

Thank you again.

stephenw10

If they are all using .81 as the gateway then they are all expecting to be in the same layer 2 segment as that. Hence you will need to use a bridge if you want to use those IPs on hosts in the DMZ directly.
However that then isn't a /29 subnet. You probably will need to expand that on the clients to something that includes the gateway.
The DMZ interface in pfSense should not have an IP address in that case. pfSense can only have IP address in a subnet.

Steve

Understudy

@stephenw10

Then I will create the bridge and go at it that way. Thank you.

Should I have to do anything with the DNS?

stephenw10

Clients will need to be statically configured for DNS. That could be the pfSense WAN IP as long as there are rules to allow that.
However pfSense would then need to have it's own subnet mask on WAN expanded in order to reply back to clients directly. Otherwise it will try to use the gateway creating an asymmetric route.

Steve

Understudy

@stephenw10

Okay, so things are looking good.

I know I have a ton of stuff to setup on the firewall but lets go over what I have here.

WAN xxx.xxx.xxx.94/29 up and working
LAN 192.168.1.1 up and working
DMZ up and working (no ip assigned)
Bridge0 up and working (no ip assigned) (WAN DMZ)

Firewall / Nat / Outbound
Outbound Nat Mode Hybrid
Mappings Do not NAT (enable)

Firewall / Rules / WAN
pass ICMP
pass DNS
pass 21, 22, 80, 443

LAN
Default ruleset

DMZ
No ruleset

Bridge0
No ruleset

I have tested on the LAN the standard items email, print, traffic out to internet. All is good.
On the Bridge0 I can see the web pages, I can also ssh in from remote location. ICMP works and the pages respond to DNS.

Overall this is a good start. I will close out this post if there is a special button or something I press I will do so.

Next up will be proper firewall rules , blocking, and logging.

Thank you for your help.

bingo600

@understudy

Seems like you "live" within "this" /28

But why would you insist on using the public IP's in the DMZ , and having to resort to all kinds of "Trickery".

Why not use pfSense VIP's , that 1:1 nat into the DMZ ?

/Bingo

stephenw10

There are somethings that just work better with real public IPs directly. There are somethings that are almost impossible to make work behind NAT. Mostly older PBX software in my experience.
I've setup bridged DMZ interfaces like this for in those situations.
However it has always been using IPs that are all in one larger subnet like the /28 shown. I suspect that must be the case here.

Steve

bingo600

@stephenw10
You make a point there ...

I have a "Major Brand" PBX that absolutely won't work if NAT'ed.

/Bingo