Access from a juniper but out pfsense
-
I have multiple firewalls on the network and a mess of gateways which gets rather confusing at times.
I have an application where users need to come in firewall (juniper, firewall A), but part of the data needs to come out firewall (a pfsense box, firewall B).
The reason is that the data is in fact behind a public facing web (Y) server, on the lan side, which should not have direct public access. That internal (X) server must have firewall B as it's gateway which is why the data needs to come from firewall B.The public facing web (Y) server accesses some data on the internal web (X) server, which it then needs to pass on to the user. If I don't have a public (NAT) IP on the internet server, the user never gets the data.
Ok, so, here is the question.
Is there a way of preventing people from directly accessing server X from pfsense BUT, allowing data to be SENT to the user as long as the data was initiated from inside the network.
I worked with juniper on this for several hours and the engineers could not come up with a solution. I thought I would post it here and see if someone might have some interesting ideas.
Mike
-
Anyone?
-
I think so.. It would see that you could add firewall rules to direct the traffic in such a way to come close to working in such a manner. Can you give please give a more detailed network map?
-Altrez
-
Hi, thanks for the reply and help.
Let me see if I can draw something that shows this a little.
A-Juniper-firewall: User access web site from here for entire session
|
Y-Web Server: This is the public facing web server that user connects to
|
X-Web Server: This is the internal only web server
|
B-PfSense firewall which server X sends to user from.So, user connects trough A to reach web server Y.
Web server Y has a wrapper which allows user to interact with web server X.
Web server X is in fact a PBX which I don't want to give direct public access to, yet, it needs a public IP in order for the data to flow out to the user. If web server Y could have some sort of proxy, then this might not be needed but I have not seen any such proxy.
When user wants data from web server X, the data has to flow out of firewall B since that is it's gateway.
What I need to do is prevent anyone from connecting to web server X through firewall B directly. Firewall B should only allow data to flow to user IF it has been requested through web server Y.
Does this make more sense?
-
It does make some more sense its not really complex but I think a few extra packages might be need in order for it to route the traffic correctly. I have done something like that with a few Netscreen's and Virtual routers.
Have you looked at doing it that way?
-
You need to specify for rules regarding server X the no state otherwise pfsense will block the traffic because of the state keeping.
-
It does make some more sense its not really complex but I think a few extra packages might be need in order for it to route the traffic correctly. I have done something like that with a few Netscreen's and Virtual routers.
Have you looked at doing it that way?
Hi, sorry for the delay, hell week and it's not over yet :).
I do have a main firewall which is a juniper which does support virtual routers.
Server X is a pbx which pfsense allows access to for SIP services. It has a public IP and session border controllers in front of it. In order to keep the quality high, I want to keep pfsense as lean as possible so don't have any extra packages installed on it at the moment.
Can you expand on your thoughts where this would use a juniper as a front end?
Mike
-
@ermal:
You need to specify for rules regarding server X the no state otherwise pfsense will block the traffic because of the state keeping.
I'm totally new to pfsense, might you have some example URL's or more information.
Thanks so much.
Mike