DMZ con IP's publicas reales y NAT



  • Hola a todos.

    LLevo más de un año usando Pfsense sin problemas, pero necesito añadir otro para conectar la red de servidores privados y publicos a internet, los servidores necesitan IP's publicas reales (por cuestiones de certificados).El hadware que he empleado es un compaq Proliant DL360 con 2 targetas de red de 1g internas más dos 3com de 100mb añadidas. La intención es tener una Lan, Wan, DMZ y otra sin uso por el momento.
    El proveedor de internet y de Hosting me conecta con un router con IP privada 172.x.x.35/29 por lo que en la WAN tengo  la 172.x.x.35/29. en la DMZ tendré una IP pública 213.x.x.129/29  y varios servidores con IP's tambien publicas 213.x.x.130, 213.x.x.131  etc…
    Para la LAN  de servidores tengo 10.1.1.125/25 con un router a nuestras oficinas 10.1.1.1 , nuestras oficinas son 192.168.68.0/24.

    Entiendo que para que los servidores salgan y sean visibles se necesita NAT 1:1  pero me imagino  de la siguiente forma:

    WAN  213.x.x.130/32  213.x.x.130/32  Correo

    WAN  213.x.x.131/32  213.x.x.131/32  Blackberry

    WAN  213.x.x.132/32  213.x.x.132/32  Web

    Y para que los servidores privados y mi red puedan tener internet necesitaré cambiar AON  de la siguiente forma:

    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description

    DMZ        any            *            *                  *                *              *          NO Auto created rule for LAN

    Si opinais de distinta forma por favor apreciaria vuestros comentarios.



  • Al final he conseguido hacerlo funcionar, y me funciona todo. 
    El truco fue poner una IP Virtual en la misma red DMZ , por lo que el PfSense consume dos IP´s de Internet reales.

    Esta es la configuración:

    <pfsense><version>3.0</version>
    <lastchange><theme>metallic</theme>
    <system><optimization>normal</optimization>
    <hostname>pfsense</hostname>
    <domain>domain.es</domain>
    <username>admin</username>
    <password></password>
    <timezone>Europe/Madrid</timezone>
    <time-update-interval><timeservers>pool.ntp.org</timeservers>
    <webgui><protocol>https</protocol>
    <certificate><private-key></private-key></certificate></webgui>
    <disablenatreflection>yes</disablenatreflection>
    <ssh><authorizedkeys></authorizedkeys></ssh>
    <enablesshd>yes</enablesshd>
    <disableconsolemenu><maximumstates><shapertype><dnsserver>213.4.194.4</dnsserver>
    <dnsserver>10.1.0.4</dnsserver>
    <dnsallowoverride></dnsallowoverride></shapertype></maximumstates></disableconsolemenu></time-update-interval></system>
    <interfaces><lan><if>fxp0</if>
    <ipaddr>10.1.1.125</ipaddr>
    <subnet>25</subnet>
    <media><mediaopt><bandwidth>100</bandwidth>
    <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>
    <wan><if>xl0</if>
    <mtu><blockpriv><media><mediaopt><bandwidth>100</bandwidth>
    <bandwidthtype>Mb</bandwidthtype>
    <spoofmac><disableftpproxy><ipaddr>172.17.192.36</ipaddr>
    <subnet>29</subnet>
    <gateway>172.17.192.35</gateway></disableftpproxy></spoofmac></mediaopt></media></blockpriv></mtu></wan>
    <opt1><if>fxp1</if>
    <descr>DMZ</descr>
    <bridge><enable><ipaddr>213.x.x.129</ipaddr>
    <subnet>29</subnet>
    <gateway><spoofmac></spoofmac></gateway></enable></bridge></opt1>
    <opt2><if>xl1</if>
    <descr>NETLAN</descr>
    <bridge><ipaddr>192.168.60.2</ipaddr>
    <subnet>24</subnet>
    <gateway>192.168.60.1</gateway>
    <spoofmac></spoofmac></bridge></opt2></interfaces>
    <staticroutes><route><interface>lan</interface>
    <network>10.1.0.0/25</network>
    <gateway>10.1.1.1</gateway>
    <descr>Red Tic</descr></route>
    <route><interface>lan</interface>
    <network>192.168.68.0/24</network>
    <gateway>10.1.1.1</gateway>
    <descr>Red Oficina</descr></route>
    <route><interface>lan</interface>
    <network>192.168.79.128/25</network>
    <gateway>10.1.1.1</gateway>
    <descr>Red Tic</descr></route></staticroutes>
    <pppoe><username><password></password></username></pppoe>
    <pptp><username><password><local></local></password></username></pptp>
    <bigpond><dyndns><type>dyndns</type>
    <username><password></password></username></dyndns>
    <dhcpd><lan><range><from>10.1.1.10</from>
    <to>10.1.1.245</to></range>
    <defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><ddnsdomain><next-server><filename></filename></next-server></ddnsdomain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></lan></dhcpd>
    <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
    <ovpn><dnsmasq><enable><domainoverrides><domain>nmasuno.com</domain>
    <ip>10.1.0.11</ip>
    <descr>ad.nmasuno.com</descr></domainoverrides></enable></dnsmasq>
    <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
    <diag><ipv6nat></ipv6nat></diag>
    <bridge><syslog><nat><ipsecpassthru><advancedoutbound><rule><source>
    <network>10.1.1.0/25</network>

    <sourceport><descr>Nat de salida para LAN</descr>
    <target>213.x.x.133</target>
    <interface>wan</interface>
    <destination><any></any></destination>
    <natport></natport></sourceport></rule>
    <rule><source>
    <network>10.1.0.0/25</network>

    <sourceport><descr>Nat de salida para LAN</descr>
    <target>213.x.x.133</target>
    <interface>wan</interface>
    <destination><any></any></destination>
    <natport></natport></sourceport></rule>
    <rule><source>
    <network>192.168.79.0/25</network>

    <sourceport><descr>Nat de salida para LAN</descr>
    <target>213.x.x.133</target>
    <interface>wan</interface>
    <destination><any></any></destination>
    <natport></natport></sourceport></rule>
    <rule><source>
    <network>192.168.68.0/25</network>

    <sourceport><descr>Nat de salida para LAN</descr>
    <target>213.x.x.133</target>
    <interface>wan</interface>
    <destination><any></any></destination>
    <natport></natport></sourceport></rule>
    <rule><source>
    <network>172.17.192.36/32</network>

    <sourceport><descr>Nat de salida para LAN</descr>
    <target>213.x.x.133</target>
    <interface>wan</interface>
    <destination><any></any></destination>
    <natport></natport></sourceport></rule>
    <enable></enable></advancedoutbound></ipsecpassthru></nat>
    <filter><rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>213.x.x.131</address>

    <port>80</port></destination>
    <descr>HTTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>213.x.x.132</address>

    <port>80</port></destination>
    <descr>HTTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>CORREO</address>

    <port>443</port></destination>
    <descr>HTTPs</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>CORREO</address>

    <port>465</port></destination>
    <descr>SMTP/s</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>CORREO</address>

    <port>993</port></destination>
    <descr>IMAP4/s</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>CORREO</address>

    <port>25</port></destination>
    <descr>SMTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>CORREO</address>

    <port>143</port></destination>
    <descr>IMAP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>Blackberry</address>

    <port>3101</port></destination>
    <descr>BLACKBERRY</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>

    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>icmp</protocol>
    <source>
    <any><destination><any></any></destination>
    <disabled><descr>Ping</descr></disabled></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <network>opt1</network>

    <destination><network>lan</network>
    <port>1433-1434</port></destination>
    <descr>SQL server</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <network>opt1</network>

    <destination><any><port>25</port></any></destination>
    <descr>SMTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>opt1</network>

    <destination><any><port>80</port></any></destination>
    <descr>HTTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>opt1</network>

    <destination><any><port>443</port></any></destination>
    <descr>HTTPs</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <network>opt1</network>

    <destination><any><port>53</port></any></destination>
    <descr>DNS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>

    <address>LanTic</address>

    <destination><network>opt1</network>
    <port>Samba</port></destination>
    <descr>SMB > DMZ</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>80</port></any></destination>
    <descr>HTTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>53</port></any></destination>
    <descr>DNS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>23</port></any></destination>
    <descr>TELNET</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>25</port></any></destination>
    <descr>SMTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>143</port></any></destination>
    <descr>IMAP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>443</port></any></destination>
    <descr>HTTPS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>21</port></any></destination>
    <descr>FTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>123</port></any></destination>
    <descr>TIME</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><address>127.0.0.1</address>

    <port>8000-8090</port></destination>
    <descr>FTP (IEXPLORER)</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>icmp</protocol>
    <source>

    <address>LanTic</address>

    <destination><any></any></destination>
    <disabled><descr>SMB > WEB</descr></disabled></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>block</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>

    <source>
    <any><destination><any></any></destination>
    <log><descr>BLOCK</descr></log></any></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>enc0</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <any><destination><address>192.168.79.128/25</address>

    <port>3200-3201</port></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>enc0</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <any><destination><address>192.168.79.128/25</address>

    <port>3299</port></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>enc0</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>icmp</protocol>
    <source>
    <any><destination><address>192.168.79.128/25</address></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>

    <rule><type>block</type>
    <interface>enc0</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><source>
    <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <bypassstaticroutes></bypassstaticroutes></filter>
    <shaper><aliases><alias><name>CORREO</name>

    <address>213.x.x.130</address>

    <descr>Servidor de CORREO</descr>
    <type>host</type>
    <detail>Entry added Tue, 24 Jun 2008 12:49:33 +0200||</detail></alias>
    <alias><name>LanTic</name>

    <address>10.1.0.0/25 10.1.1.0/25 192.168.79.128/25</address>

    <descr>Red del TIC</descr>
    <type>network</type>
    <detail>Entry added Wed, 02 Jul 2008 17:28:54 +0200||Entry added Wed, 02 Jul 2008 17:28:54 +0200||Entry added Wed, 02 Jul 2008 17:28:54 +0200||</detail></alias>
    <alias><name>Oficina</name>

    <address>192.168.68.0/24</address>

    <descr>Red de Oficina</descr>
    <type>network</type>
    <detail>Entry added Wed, 25 Jun 2008 09:43:29 +0200||</detail></alias>

    <alias><name>RouterTic</name>

    <address>10.1.1.1</address>

    <descr>Router Tic Red privada</descr>
    <type>host</type>
    <detail>Entry added Wed, 25 Jun 2008 09:44:31 +0200||</detail></alias>

    <alias><name>Samba</name>

    <address>137 138 139 445</address>

    <descr>Red microsoft</descr>
    <type>port</type>
    <detail>Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||</detail></alias>
    <alias><name>WEB</name>

    <address>213.x.x.132</address>

    <descr>SERVIDOR WEB</descr>
    <type>host</type>
    <detail>Entry added Tue, 24 Jun 2008 12:50:52 +0200||</detail></alias></aliases>
    <proxyarp><cron><minute>0</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 newsyslog
    <minute>1,31</minute>
    <hour>0-5</hour>
    <mday></mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 adjkerntz -a
    <minute>1</minute>
    <hour>3</hour>
    <mday>1</mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
    <minute>
    /60</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
    <minute>1</minute>
    <hour>1</hour>
    <mday></mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
    <minute>
    /60</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
    <minute>/60</minute>
    <hour>
    </hour>
    <mday></mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c
    <minute>
    /5</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/usr/local/bin/checkreload.sh
    <minute>/5</minute>
    <hour>
    </hour>
    <mday></mday>
    <month>
    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/etc/ping_hosts.sh
    <minute>
    /140</minute>
    <hour></hour>
    <mday>
    </mday>
    <month></month>
    <wday>
    </wday>
    <who>root</who>
    <command></command>/usr/local/sbin/reset_slbd.sh</cron>
    <wol><installedpackages></installedpackages>
    <vlans><revision><description>/firewall_rules_edit.php made unknown change</description>
    <time>1215020747</time></revision>
    <rrd><enable></enable></rrd>
    <virtualip><vip><mode>proxyarp</mode>
    <interface>wan</interface>
    <descr>IP de Salida NAT</descr>
    <type>single</type>
    <subnet_bits>32</subnet_bits>
    <subnet>213.x.x.133</subnet></vip></virtualip></vlans></wol></proxyarp></shaper></syslog></bridge></ovpn></bigpond></lastchange></pfsense>


Log in to reply