4. DMZ con IP's publicas reales y NAT

DMZ con IP's publicas reales y NAT

  • 0

    Hola a todos.

    LLevo más de un año usando Pfsense sin problemas, pero necesito añadir otro para conectar la red de servidores privados y publicos a internet, los servidores necesitan IP's publicas reales (por cuestiones de certificados).El hadware que he empleado es un compaq Proliant DL360 con 2 targetas de red de 1g internas más dos 3com de 100mb añadidas. La intención es tener una Lan, Wan, DMZ y otra sin uso por el momento.
    El proveedor de internet y de Hosting me conecta con un router con IP privada 172.x.x.35/29 por lo que en la WAN tengo  la 172.x.x.35/29. en la DMZ tendré una IP pública 213.x.x.129/29  y varios servidores con IP's tambien publicas 213.x.x.130, 213.x.x.131  etc…
    Para la LAN  de servidores tengo 10.1.1.125/25 con un router a nuestras oficinas 10.1.1.1 , nuestras oficinas son 192.168.68.0/24.

    Entiendo que para que los servidores salgan y sean visibles se necesita NAT 1:1  pero me imagino  de la siguiente forma:

    WAN  213.x.x.130/32  213.x.x.130/32  Correo

    WAN  213.x.x.131/32  213.x.x.131/32  Blackberry

    WAN  213.x.x.132/32  213.x.x.132/32  Web

    Y para que los servidores privados y mi red puedan tener internet necesitaré cambiar AON  de la siguiente forma:

    Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description

    DMZ        any            *            *                  *                *              *          NO Auto created rule for LAN

    Si opinais de distinta forma por favor apreciaria vuestros comentarios.

    0
  • 0

    Al final he conseguido hacerlo funcionar, y me funciona todo. 
    El truco fue poner una IP Virtual en la misma red DMZ , por lo que el PfSense consume dos IP´s de Internet reales.

    Esta es la configuración:

    <pfsense><version>3.0</version>
    <lastchange><theme>metallic</theme>
    <system><optimization>normal</optimization>
    <hostname>pfsense</hostname>
    <domain>domain.es</domain>
    <username>admin</username>
    <password></password>
    <timezone>Europe/Madrid</timezone>
    <time-update-interval><timeservers>pool.ntp.org</timeservers>
    <webgui><protocol>https</protocol>
    <certificate><private-key></private-key></certificate></webgui>
    <disablenatreflection>yes</disablenatreflection>
    <ssh><authorizedkeys></authorizedkeys></ssh>
    <enablesshd>yes</enablesshd>
    <disableconsolemenu><maximumstates><shapertype><dnsserver>213.4.194.4</dnsserver>
    <dnsserver>10.1.0.4</dnsserver>
    <dnsallowoverride></dnsallowoverride></shapertype></maximumstates></disableconsolemenu></time-update-interval></system>
    <interfaces><lan><if>fxp0</if>
    <ipaddr>10.1.1.125</ipaddr>
    <subnet>25</subnet>
    <media><mediaopt><bandwidth>100</bandwidth>
    <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>
    <wan><if>xl0</if>
    <mtu><blockpriv><media><mediaopt><bandwidth>100</bandwidth>
    <bandwidthtype>Mb</bandwidthtype>
    <spoofmac><disableftpproxy><ipaddr>172.17.192.36</ipaddr>
    <subnet>29</subnet>
    <gateway>172.17.192.35</gateway></disableftpproxy></spoofmac></mediaopt></media></blockpriv></mtu></wan>
    <opt1><if>fxp1</if>
    <descr>DMZ</descr>
    <bridge><enable><ipaddr>213.x.x.129</ipaddr>
    <subnet>29</subnet>
    <gateway><spoofmac></spoofmac></gateway></enable></bridge></opt1>
    <opt2><if>xl1</if>
    <descr>NETLAN</descr>
    <bridge><ipaddr>192.168.60.2</ipaddr>
    <subnet>24</subnet>
    <gateway>192.168.60.1</gateway>
    <spoofmac></spoofmac></bridge></opt2></interfaces>
    <staticroutes><route><interface>lan</interface>
    <network>10.1.0.0/25</network>
    <gateway>10.1.1.1</gateway>
    <descr>Red Tic</descr></route>
    <route><interface>lan</interface>
    <network>192.168.68.0/24</network>
    <gateway>10.1.1.1</gateway>
    <descr>Red Oficina</descr></route>
    <route><interface>lan</interface>
    <network>192.168.79.128/25</network>
    <gateway>10.1.1.1</gateway>
    <descr>Red Tic</descr></route></staticroutes>
    <pppoe><username><password></password></username></pppoe>
    <pptp><username><password><local></local></password></username></pptp>
    <bigpond><dyndns><type>dyndns</type>
    <username><password></password></username></dyndns>
    <dhcpd><lan><range><from>10.1.1.10</from>
    <to>10.1.1.245</to></range>
    <defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><ddnsdomain><next-server><filename></filename></next-server></ddnsdomain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></lan></dhcpd>
    <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
    <ovpn><dnsmasq><enable><domainoverrides><domain>nmasuno.com</domain>
    <ip>10.1.0.11</ip>
    <descr>ad.nmasuno.com</descr></domainoverrides></enable></dnsmasq>
    <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
    <diag><ipv6nat></ipv6nat></diag>
    <bridge><syslog><nat><ipsecpassthru><advancedoutbound><rule><source>
    <network>10.1.1.0/25</network>

    <sourceport><descr>Nat de salida para LAN</descr>
    <target>213.x.x.133</target>
    <interface>wan</interface>
    <destination><any></any></destination>
    <natport></natport></sourceport></rule>
    <rule><source>
    <network>10.1.0.0/25</network>

    <sourceport><descr>Nat de salida para LAN</descr>
    <target>213.x.x.133</target>
    <interface>wan</interface>
    <destination><any></any></destination>
    <natport></natport></sourceport></rule>
    <rule><source>
    <network>192.168.79.0/25</network>

    <sourceport><descr>Nat de salida para LAN</descr>
    <target>213.x.x.133</target>
    <interface>wan</interface>
    <destination><any></any></destination>
    <natport></natport></sourceport></rule>
    <rule><source>
    <network>192.168.68.0/25</network>

    <sourceport><descr>Nat de salida para LAN</descr>
    <target>213.x.x.133</target>
    <interface>wan</interface>
    <destination><any></any></destination>
    <natport></natport></sourceport></rule>
    <rule><source>
    <network>172.17.192.36/32</network>

    <sourceport><descr>Nat de salida para LAN</descr>
    <target>213.x.x.133</target>
    <interface>wan</interface>
    <destination><any></any></destination>
    <natport></natport></sourceport></rule>
    <enable></enable></advancedoutbound></ipsecpassthru></nat>
    <filter><rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>213.x.x.131</address>

    <port>80</port></destination>
    <descr>HTTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>213.x.x.132</address>

    <port>80</port></destination>
    <descr>HTTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>CORREO</address>

    <port>443</port></destination>
    <descr>HTTPs</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>CORREO</address>

    <port>465</port></destination>
    <descr>SMTP/s</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>CORREO</address>

    <port>993</port></destination>
    <descr>IMAP4/s</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>CORREO</address>

    <port>25</port></destination>
    <descr>SMTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>CORREO</address>

    <port>143</port></destination>
    <descr>IMAP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <any><destination><address>Blackberry</address>

    <port>3101</port></destination>
    <descr>BLACKBERRY</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>

    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>icmp</protocol>
    <source>
    <any><destination><any></any></destination>
    <disabled><descr>Ping</descr></disabled></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <network>opt1</network>

    <destination><network>lan</network>
    <port>1433-1434</port></destination>
    <descr>SQL server</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <network>opt1</network>

    <destination><any><port>25</port></any></destination>
    <descr>SMTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>opt1</network>

    <destination><any><port>80</port></any></destination>
    <descr>HTTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>opt1</network>

    <destination><any><port>443</port></any></destination>
    <descr>HTTPs</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <network>opt1</network>

    <destination><any><port>53</port></any></destination>
    <descr>DNS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>

    <address>LanTic</address>

    <destination><network>opt1</network>
    <port>Samba</port></destination>
    <descr>SMB > DMZ</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>80</port></any></destination>
    <descr>HTTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>53</port></any></destination>
    <descr>DNS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>23</port></any></destination>
    <descr>TELNET</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>25</port></any></destination>
    <descr>SMTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>143</port></any></destination>
    <descr>IMAP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>443</port></any></destination>
    <descr>HTTPS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>21</port></any></destination>
    <descr>FTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <network>lan</network>

    <destination><any><port>123</port></any></destination>
    <descr>TIME</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>
    <network>lan</network>

    <destination><address>127.0.0.1</address>

    <port>8000-8090</port></destination>
    <descr>FTP (IEXPLORER)</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>icmp</protocol>
    <source>

    <address>LanTic</address>

    <destination><any></any></destination>
    <disabled><descr>SMB > WEB</descr></disabled></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>block</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>

    <source>
    <any><destination><any></any></destination>
    <log><descr>BLOCK</descr></log></any></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>enc0</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <any><destination><address>192.168.79.128/25</address>

    <port>3200-3201</port></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>enc0</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <any><destination><address>192.168.79.128/25</address>

    <port>3299</port></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>enc0</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>icmp</protocol>
    <source>
    <any><destination><address>192.168.79.128/25</address></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>

    <rule><type>block</type>
    <interface>enc0</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><source>
    <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <bypassstaticroutes></bypassstaticroutes></filter>
    <shaper><aliases><alias><name>CORREO</name>

    <address>213.x.x.130</address>

    <descr>Servidor de CORREO</descr>
    <type>host</type>
    <detail>Entry added Tue, 24 Jun 2008 12:49:33 +0200||</detail></alias>
    <alias><name>LanTic</name>

    <address>10.1.0.0/25 10.1.1.0/25 192.168.79.128/25</address>

    <descr>Red del TIC</descr>
    <type>network</type>
    <detail>Entry added Wed, 02 Jul 2008 17:28:54 +0200||Entry added Wed, 02 Jul 2008 17:28:54 +0200||Entry added Wed, 02 Jul 2008 17:28:54 +0200||</detail></alias>
    <alias><name>Oficina</name>

    <address>192.168.68.0/24</address>

    <descr>Red de Oficina</descr>
    <type>network</type>
    <detail>Entry added Wed, 25 Jun 2008 09:43:29 +0200||</detail></alias>

    <alias><name>RouterTic</name>

    <address>10.1.1.1</address>

    <descr>Router Tic Red privada</descr>
    <type>host</type>
    <detail>Entry added Wed, 25 Jun 2008 09:44:31 +0200||</detail></alias>

    <alias><name>Samba</name>

    <address>137 138 139 445</address>

    <descr>Red microsoft</descr>
    <type>port</type>
    <detail>Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||</detail></alias>
    <alias><name>WEB</name>

    <address>213.x.x.132</address>

    <descr>SERVIDOR WEB</descr>
    <type>host</type>
    <detail>Entry added Tue, 24 Jun 2008 12:50:52 +0200||</detail></alias></aliases>
    <proxyarp><cron><minute>0</minute>
    <hour></hour>
    <mday>    </mday>
    <month></month>
    <wday>    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 newsyslog
    <minute>1,31</minute>
    <hour>0-5</hour>
    <mday></mday>
    <month>    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 adjkerntz -a
    <minute>1</minute>
    <hour>3</hour>
    <mday>1</mday>
    <month>    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
    <minute>    /60</minute>
    <hour></hour>
    <mday>    </mday>
    <month></month>
    <wday>    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
    <minute>1</minute>
    <hour>1</hour>
    <mday></mday>
    <month>    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
    <minute>    /60</minute>
    <hour></hour>
    <mday>    </mday>
    <month></month>
    <wday>    </wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
    <minute>/60</minute>
    <hour>    </hour>
    <mday></mday>
    <month>    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c
    <minute>    /5</minute>
    <hour></hour>
    <mday>    </mday>
    <month></month>
    <wday>    </wday>
    <who>root</who>
    <command></command>/usr/local/bin/checkreload.sh
    <minute>/5</minute>
    <hour>    </hour>
    <mday></mday>
    <month>    </month>
    <wday></wday>
    <who>root</who>
    <command></command>/etc/ping_hosts.sh
    <minute>    /140</minute>
    <hour></hour>
    <mday>    </mday>
    <month></month>
    <wday>    </wday>
    <who>root</who>
    <command></command>/usr/local/sbin/reset_slbd.sh</cron>
    <wol><installedpackages></installedpackages>
    <vlans><revision><description>/firewall_rules_edit.php made unknown change</description>
    <time>1215020747</time></revision>
    <rrd><enable></enable></rrd>
    <virtualip><vip><mode>proxyarp</mode>
    <interface>wan</interface>
    <descr>IP de Salida NAT</descr>
    <type>single</type>
    <subnet_bits>32</subnet_bits>
    <subnet>213.x.x.133</subnet></vip></virtualip></vlans></wol></proxyarp></shaper></syslog></bridge></ovpn></bigpond></lastchange></pfsense>

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy