A DMZ installation / configuration question

  • I own a remote support appliance (Bomgar) and use it on my residential (cable) network with a single DHCP IP public address. This is basically a web server that I access from both inside AND outside my private network to remotely support clients that access he appliance from outside my private network.

    Up until now I have been testing and using the appliance inside my private network using a stock Linksys router with the appliance hanging off internal network. To reach the appliance from the web, I configured an A-record in my hosted domain and used port-forwarding on the Linksys router. This allowed internal and external access for me to to host support sessions as well as external access for client support sessions.

    Note: I realize the single DHCP ISP address is not perfect - but I simply manage IP changes via the A-record mapping for now.

    I replaced the stock router setup with pfSense v 1.2.3 and it is running great. I now need to incorporate the Bomgar appliance and re-establish access from within my private network as well as external access for clients.

    Bomgar recommends installation of the appliance outside the firewall or in the DMZ. Installation outside firewall is recommended and seems the simplest, but since I am limited to a single public IP I assume that I must configure and use a DMZ configuration.

    In pfSense I have enabled three interfaces (WAN, LAN, & DMZ) but am confused about how to configure rules for the DMZ interface.

    If the appliance is installed inside the firewall I require ports 80, 443, and 8200 inbound. (To avoid port conflicts, I have re-configured the default port for pfSense admin)

    As a test, I did try installing on the private network (just like the Linksys configuration) but could never reach the appliance from inside my network. I suspect I had a problem with NAT reflection setting - not sure. Anyway, the DMZ configuration is preferred over the internal configuration so I would like to configure that way.

    Thanks for reading - I hope that is enough information for some general guidance - any configuration advice is greatly appreciated!

  • From the outside, configure a portforward from your WAN IP to that box inside your DMZ with the appropriate ports forwarded.  From the inside, the LAN has a default allow so you're fine there.  The major difference will be to either use NAT reflection (which is gross) or to use the DNS forwarder with a DNS override configured so the forwarder will hand out the private IP address of your DMZ box to all your LAN clients.  Do this and make sure all your LAN clients use your pfSense box for DNS and life becomes shiny and new again.

  • Thank you for your quick reply!
    I was tempted to ask for more detail on where to actually set / configure your recommendations - but I think I now have it working!
    I used DNS forwarding as suggested but do not understand "DNS override" - I am using pfSense for all internal machine's DNS source.

    Still have to run some more testing but looks good so far!
    Your help is much appreciated - Thank you!

  • The way "DNS override" works is exactly how it sounds.  If a LAN client makes a DNS request for a resource that you've configured a DNS override for, the DNS forwarder will reply with that IP address instead of the IP address the DNS server which has authority for that device would.  As an example, if you had a web server inside your DMZ and it was called dmz.webserver.cx, there would be a DNS server somewhere with that machine's public IP address.  If you were trying to access that device from inside your LAN, you would not want to try to connect to the public IP address of that device, that would be inefficient (and wouldn't work without using NAT reflection which is an ugly hack).  Instead, you'd configure a DNS override so that your DNS forwarder would hand back the private IP address of that device and the connection would be made directly from LAN -> DMZ instead of LAN -> WAN -> DMZ.  Glad you have it working, I hope this makes the rest clear.

Log in to reply