OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Firewall Rulesets: NAT / DMZ / Portforwarding
« previous next »
  • Print
Pages: [1]

Author Topic: Firewall Rulesets: NAT / DMZ / Portforwarding  (Read 1978 times)

ruggerio

  • Sr. Member
  • ****
  • Posts: 279
  • Karma: 11
    • View Profile
Firewall Rulesets: NAT / DMZ / Portforwarding
« on: March 20, 2018, 07:32:15 am »
Hi,

I have one single Server on the DMZ-Interface. I want to get Some Ports (eg. 80,443) forwarded to this.

So, i created a NAT-Portfforwading rule:

Interface: WAN
Target: Wan Adress
Target Ports : 80,443
Redirect Target IP: [IP of my Webserver]
Redirect Target Ports: 80,443

This created an automted rule on WAN:

Source: any
Source port: any
Target:  [IP of my Webserver]
Target Ports: 80,443


As this "Server" is in the DMZ, i created a rule on the DMZ-Network, to allow Access to my webserver.

Question: is the rule on the dmz-interface really needed? on the WAN-Interface, traffic for the ports for my webserver is allowed.

In iptables (yes, i know...) i would also have to set an allow-rule for that Interface.


Thx,
Roger
Logged

hutiucip

  • Sr. Member
  • ****
  • Posts: 283
  • Karma: 47
    • View Profile
Re: Firewall Rulesets: NAT / DMZ / Portforwarding
« Reply #1 on: March 20, 2018, 12:33:58 pm »
Quote
As this "Server" is in the DMZ, i created a rule on the DMZ-Network, to allow Access to my webserver.

Or you can use NAT reflection if you need to access this webserver also from LAN.

Quote
Question: is the rule on the dmz-interface really needed? on the WAN-Interface, traffic for the ports for my webserver is allowed.

Only if you need http(s) access to the server from LAN too, and you don't use NAT reflection (see upon).
Logged

hutiucip

  • Sr. Member
  • ****
  • Posts: 283
  • Karma: 47
    • View Profile
Re: Firewall Rulesets: NAT / DMZ / Portforwarding
« Reply #2 on: March 20, 2018, 12:43:05 pm »
It might help you if you imagine yourself as a policeman standing in the middle of an intersection:

Policeman - the router making routing decisions
Junction/ Intersection - The router equipment, as a whole.
Roads - NICs (Network Interface Cards)/ Connections themselves.
Cars - Data Packets

Make each rule following the ”from where - getting in by which road - getting out by which road - to where” way of thinking, and most of the time you would have no problems in setting up your router.
Logged

ruggerio

  • Sr. Member
  • ****
  • Posts: 279
  • Karma: 11
    • View Profile
Re: Firewall Rulesets: NAT / DMZ / Portforwarding
« Reply #3 on: March 20, 2018, 12:59:25 pm »
Hi Hitiucip,

Thanks for both eplanations, now thats quite clear! The policmen in my case is the dmz-interface, which stops or allows the traffic to that "Zone".

Roger
Logged

hutiucip

  • Sr. Member
  • ****
  • Posts: 283
  • Karma: 47
    • View Profile
Re: Firewall Rulesets: NAT / DMZ / Portforwarding
« Reply #4 on: March 20, 2018, 03:24:22 pm »
You are the policeman! ALWAYS!(!) :)

Named "dmz-interface" is a road, one of the many you have getting into your intersection (meaning, "router"). ;)
Logged

ruggerio

  • Sr. Member
  • ****
  • Posts: 279
  • Karma: 11
    • View Profile
Re: Firewall Rulesets: NAT / DMZ / Portforwarding
« Reply #5 on: March 20, 2018, 04:10:04 pm »
Thanks a lot :)
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Firewall Rulesets: NAT / DMZ / Portforwarding
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2021 All rights reserved
  • SMF 2.0.18 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2