DMZ con IP's publicas reales y NAT

0ren

Hola a todos.

LLevo más de un año usando Pfsense sin problemas, pero necesito añadir otro para conectar la red de servidores privados y publicos a internet, los servidores necesitan IP's publicas reales (por cuestiones de certificados).El hadware que he empleado es un compaq Proliant DL360 con 2 targetas de red de 1g internas más dos 3com de 100mb añadidas. La intención es tener una Lan, Wan, DMZ y otra sin uso por el momento.
El proveedor de internet y de Hosting me conecta con un router con IP privada 172.x.x.35/29 por lo que en la WAN tengo  la 172.x.x.35/29. en la DMZ tendré una IP pública 213.x.x.129/29  y varios servidores con IP's tambien publicas 213.x.x.130, 213.x.x.131  etc…
Para la LAN  de servidores tengo 10.1.1.125/25 con un router a nuestras oficinas 10.1.1.1 , nuestras oficinas son 192.168.68.0/24.

Entiendo que para que los servidores salgan y sean visibles se necesita NAT 1:1  pero me imagino  de la siguiente forma:

WAN  213.x.x.130/32  213.x.x.130/32  Correo

WAN  213.x.x.131/32  213.x.x.131/32  Blackberry

WAN  213.x.x.132/32  213.x.x.132/32  Web

Y para que los servidores privados y mi red puedan tener internet necesitaré cambiar AON  de la siguiente forma:

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description

DMZ        any            *            *                  *                *              *          NO Auto created rule for LAN

Si opinais de distinta forma por favor apreciaria vuestros comentarios.

0ren

Al final he conseguido hacerlo funcionar, y me funciona todo. 
El truco fue poner una IP Virtual en la misma red DMZ , por lo que el PfSense consume dos IP´s de Internet reales.

Esta es la configuración:

<pfsense><version>3.0</version>
<lastchange><theme>metallic</theme>
<system><optimization>normal</optimization>
<hostname>pfsense</hostname>
<domain>domain.es</domain>
<username>admin</username>
<password></password>
<timezone>Europe/Madrid</timezone>
<time-update-interval><timeservers>pool.ntp.org</timeservers>
<webgui><protocol>https</protocol>
<certificate><private-key></private-key></certificate></webgui>
<disablenatreflection>yes</disablenatreflection>
<ssh><authorizedkeys></authorizedkeys></ssh>
<enablesshd>yes</enablesshd>
<disableconsolemenu><maximumstates><shapertype><dnsserver>213.4.194.4</dnsserver>
<dnsserver>10.1.0.4</dnsserver>
<dnsallowoverride></dnsallowoverride></shapertype></maximumstates></disableconsolemenu></time-update-interval></system>
<interfaces><lan><if>fxp0</if>
<ipaddr>10.1.1.125</ipaddr>
<subnet>25</subnet>
<media><mediaopt><bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>
<wan><if>xl0</if>
<mtu><blockpriv><media><mediaopt><bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype>
<spoofmac><disableftpproxy><ipaddr>172.17.192.36</ipaddr>
<subnet>29</subnet>
<gateway>172.17.192.35</gateway></disableftpproxy></spoofmac></mediaopt></media></blockpriv></mtu></wan>
<opt1><if>fxp1</if>
<descr>DMZ</descr>
<bridge><enable><ipaddr>213.x.x.129</ipaddr>
<subnet>29</subnet>
<gateway><spoofmac></spoofmac></gateway></enable></bridge></opt1>
<opt2><if>xl1</if>
<descr>NETLAN</descr>
<bridge><ipaddr>192.168.60.2</ipaddr>
<subnet>24</subnet>
<gateway>192.168.60.1</gateway>
<spoofmac></spoofmac></bridge></opt2></interfaces>
<staticroutes><route><interface>lan</interface>
<network>10.1.0.0/25</network>
<gateway>10.1.1.1</gateway>
<descr>Red Tic</descr></route>
<route><interface>lan</interface>
<network>192.168.68.0/24</network>
<gateway>10.1.1.1</gateway>
<descr>Red Oficina</descr></route>
<route><interface>lan</interface>
<network>192.168.79.128/25</network>
<gateway>10.1.1.1</gateway>
<descr>Red Tic</descr></route></staticroutes>
<pppoe><username><password></password></username></pppoe>
<pptp><username><password><local></local></password></username></pptp>
<bigpond><dyndns><type>dyndns</type>
<username><password></password></username></dyndns>
<dhcpd><lan><range><from>10.1.1.10</from>
<to>10.1.1.245</to></range>
<defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><ddnsdomain><next-server><filename></filename></next-server></ddnsdomain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></lan></dhcpd>
<pptpd><mode><redir><localip></localip></redir></mode></pptpd>
<ovpn><dnsmasq><enable><domainoverrides><domain>nmasuno.com</domain>
<ip>10.1.0.11</ip>
<descr>ad.nmasuno.com</descr></domainoverrides></enable></dnsmasq>
<snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
<diag><ipv6nat></ipv6nat></diag>
<bridge><syslog><nat><ipsecpassthru><advancedoutbound><rule><source>
<network>10.1.1.0/25</network>

<sourceport><descr>Nat de salida para LAN</descr>
<target>213.x.x.133</target>
<interface>wan</interface>
<destination><any></any></destination>
<natport></natport></sourceport></rule>
<rule><source>
<network>10.1.0.0/25</network>

<sourceport><descr>Nat de salida para LAN</descr>
<target>213.x.x.133</target>
<interface>wan</interface>
<destination><any></any></destination>
<natport></natport></sourceport></rule>
<rule><source>
<network>192.168.79.0/25</network>

<sourceport><descr>Nat de salida para LAN</descr>
<target>213.x.x.133</target>
<interface>wan</interface>
<destination><any></any></destination>
<natport></natport></sourceport></rule>
<rule><source>
<network>192.168.68.0/25</network>

<sourceport><descr>Nat de salida para LAN</descr>
<target>213.x.x.133</target>
<interface>wan</interface>
<destination><any></any></destination>
<natport></natport></sourceport></rule>
<rule><source>
<network>172.17.192.36/32</network>

<sourceport><descr>Nat de salida para LAN</descr>
<target>213.x.x.133</target>
<interface>wan</interface>
<destination><any></any></destination>
<natport></natport></sourceport></rule>
<enable></enable></advancedoutbound></ipsecpassthru></nat>
<filter><rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>213.x.x.131</address>

<port>80</port></destination>
<descr>HTTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>213.x.x.132</address>

<port>80</port></destination>
<descr>HTTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>CORREO</address>

<port>443</port></destination>
<descr>HTTPs</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>CORREO</address>

<port>465</port></destination>
<descr>SMTP/s</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>CORREO</address>

<port>993</port></destination>
<descr>IMAP4/s</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>CORREO</address>

<port>25</port></destination>
<descr>SMTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>CORREO</address>

<port>143</port></destination>
<descr>IMAP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<any><destination><address>Blackberry</address>

<port>3101</port></destination>
<descr>BLACKBERRY</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>

<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>icmp</protocol>
<source>
<any><destination><any></any></destination>
<disabled><descr>Ping</descr></disabled></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<network>opt1</network>

<destination><network>lan</network>
<port>1433-1434</port></destination>
<descr>SQL server</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<network>opt1</network>

<destination><any><port>25</port></any></destination>
<descr>SMTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<network>opt1</network>

<destination><any><port>80</port></any></destination>
<descr>HTTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<network>opt1</network>

<destination><any><port>443</port></any></destination>
<descr>HTTPs</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>opt1</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<network>opt1</network>

<destination><any><port>53</port></any></destination>
<descr>DNS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>

<address>LanTic</address>

<destination><network>opt1</network>
<port>Samba</port></destination>
<descr>SMB > DMZ</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<network>lan</network>

<destination><any><port>80</port></any></destination>
<descr>HTTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<network>lan</network>

<destination><any><port>53</port></any></destination>
<descr>DNS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<network>lan</network>

<destination><any><port>23</port></any></destination>
<descr>TELNET</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<network>lan</network>

<destination><any><port>25</port></any></destination>
<descr>SMTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<network>lan</network>

<destination><any><port>143</port></any></destination>
<descr>IMAP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<network>lan</network>

<destination><any><port>443</port></any></destination>
<descr>HTTPS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<network>lan</network>

<destination><any><port>21</port></any></destination>
<descr>FTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<network>lan</network>

<destination><any><port>123</port></any></destination>
<descr>TIME</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source>
<network>lan</network>

<destination><address>127.0.0.1</address>

<port>8000-8090</port></destination>
<descr>FTP (IEXPLORER)</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>icmp</protocol>
<source>

<address>LanTic</address>

<destination><any></any></destination>
<disabled><descr>SMB > WEB</descr></disabled></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>block</type>
<interface>lan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>

<source>
<any><destination><any></any></destination>
<log><descr>BLOCK</descr></log></any></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>enc0</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<any><destination><address>192.168.79.128/25</address>

<port>3200-3201</port></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>enc0</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source>
<any><destination><address>192.168.79.128/25</address>

<port>3299</port></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>enc0</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>icmp</protocol>
<source>
<any><destination><address>192.168.79.128/25</address></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>

<rule><type>block</type>
<interface>enc0</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><source>
<any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
<bypassstaticroutes></bypassstaticroutes></filter>
<shaper><aliases><alias><name>CORREO</name>

<address>213.x.x.130</address>

<descr>Servidor de CORREO</descr>
<type>host</type>
<detail>Entry added Tue, 24 Jun 2008 12:49:33 +0200||</detail></alias>
<alias><name>LanTic</name>

<address>10.1.0.0/25 10.1.1.0/25 192.168.79.128/25</address>

<descr>Red del TIC</descr>
<type>network</type>
<detail>Entry added Wed, 02 Jul 2008 17:28:54 +0200||Entry added Wed, 02 Jul 2008 17:28:54 +0200||Entry added Wed, 02 Jul 2008 17:28:54 +0200||</detail></alias>
<alias><name>Oficina</name>

<address>192.168.68.0/24</address>

<descr>Red de Oficina</descr>
<type>network</type>
<detail>Entry added Wed, 25 Jun 2008 09:43:29 +0200||</detail></alias>

<alias><name>RouterTic</name>

<address>10.1.1.1</address>

<descr>Router Tic Red privada</descr>
<type>host</type>
<detail>Entry added Wed, 25 Jun 2008 09:44:31 +0200||</detail></alias>

<alias><name>Samba</name>

<address>137 138 139 445</address>

<descr>Red microsoft</descr>
<type>port</type>
<detail>Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||</detail></alias>
<alias><name>WEB</name>

<address>213.x.x.132</address>

<descr>SERVIDOR WEB</descr>
<type>host</type>
<detail>Entry added Tue, 24 Jun 2008 12:50:52 +0200||</detail></alias></aliases>
<proxyarp><cron><minute>0</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 newsyslog
<minute>1,31</minute>
<hour>0-5</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 adjkerntz -a
<minute>1</minute>
<hour>3</hour>
<mday>1</mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
<minute>1</minute>
<hour>1</hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
<minute>/60</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c
<minute>/5</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/local/bin/checkreload.sh
<minute>/5</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/etc/ping_hosts.sh
<minute>/140</minute>
<hour></hour>
<mday></mday>
<month></month>
<wday></wday>
<who>root</who>
<command></command>/usr/local/sbin/reset_slbd.sh</cron>
<wol><installedpackages></installedpackages>
<vlans><revision><description>/firewall_rules_edit.php made unknown change</description>
<time>1215020747</time></revision>
<rrd><enable></enable></rrd>
<virtualip><vip><mode>proxyarp</mode>
<interface>wan</interface>
<descr>IP de Salida NAT</descr>
<type>single</type>
<subnet_bits>32</subnet_bits>
<subnet>213.x.x.133</subnet></vip></virtualip></vlans></wol></proxyarp></shaper></syslog></bridge></ovpn></bigpond></lastchange></pfsense>