1
Web Proxy Filtering and Caching / Domains redirect to A potential DNS Rebind attack
« on: September 16, 2023, 03:49:25 pm »
I've been going nuts trying to figure out what I've done wrong.
I've moved over from Pfsense to Opnsense as I believe that Opnsense software is far more superiour, but I still have a lot to learn.
In short my domains seem to be redirected back to the Opnsense ip giving me a potential DNS Rebind attack.
This is how I've set up my home lab:
Opnsense as a vm on the same server as all the apps running on Proxmox 8.
I created a dhcp pool within Opnsense for all the apps, containers and vms and static mapped the servers I wished to reverse proxy.
As I have 4 physical network cards, so I have LAN, WAN and DMZ. I setup a DMZ with a dhcp outside of the Opnsense scope and added one app (Nginx Proxy Manager) and static mapped that from the DMZ pool.
So Proxmox node is on a static ip outside of any dhcp scope.
Opnsense is set with a dhcp and starts with 192.168.1.1 and has a scope of 192.168.1.15 >100
NPM (Nginx Proxy Manager) is set to 192.168.1.5 as a static map so is sat in a DMZ
DMZ is 192.168.1.2 with a dhcp scope of 192.168.1.5>10
I created an alia to allow ports for NPM and firewall rules to allow access to NGP from the internal network.
Option Value
Action Pass
Interface LAN
TCP/IP Version IPv4+IPv6 (IPv6 is optional)
Protocol TCP
Source LAN net
Source Port any
Destination 192.168.1.5
Destination Port (an alias for port 80, 81, and 443)
I then created a rule to allow access to the servers from NPM
Action Pass
Interface DMZ
TCP/IP Version IPv4+IPv6 (IPv6 is optional)
Protocol TCP
Source 192.168.1.5 (or use an alias which may include the IPv6 address)
Source Port any
Destination 192.168.1.111, 192.168.112, 192.168.113, 192.168.113, 192.168.114
Destination Port WebServerPorts (an alias for port 80 and 443)
I then created a NAT port forwarding rule to allow external network access
Interface WAN
TCP/IP Version IPv4+IPv6 (IPv6 is optional)
Protocol TCP
Source any
Source Port any
Destination WAN address
Destination Port WebServerPorts (an alias for port 80 and 443)
Redirect target IP 192.168.1.5
Redirect target port WebServerPorts (an alias for port 80 and 443)
Filter rule association Add associated filter rule
Any idea what I've done wrong as the domains should be redirected to the internal network but clearly don't.
EDIT****
I've since moved Opnsense from port 443 to 10443 but now the website cannot be reached. It looks like port forwarding isn't working
I've moved over from Pfsense to Opnsense as I believe that Opnsense software is far more superiour, but I still have a lot to learn.
In short my domains seem to be redirected back to the Opnsense ip giving me a potential DNS Rebind attack.
This is how I've set up my home lab:
Opnsense as a vm on the same server as all the apps running on Proxmox 8.
I created a dhcp pool within Opnsense for all the apps, containers and vms and static mapped the servers I wished to reverse proxy.
As I have 4 physical network cards, so I have LAN, WAN and DMZ. I setup a DMZ with a dhcp outside of the Opnsense scope and added one app (Nginx Proxy Manager) and static mapped that from the DMZ pool.
So Proxmox node is on a static ip outside of any dhcp scope.
Opnsense is set with a dhcp and starts with 192.168.1.1 and has a scope of 192.168.1.15 >100
NPM (Nginx Proxy Manager) is set to 192.168.1.5 as a static map so is sat in a DMZ
DMZ is 192.168.1.2 with a dhcp scope of 192.168.1.5>10
I created an alia to allow ports for NPM and firewall rules to allow access to NGP from the internal network.
Option Value
Action Pass
Interface LAN
TCP/IP Version IPv4+IPv6 (IPv6 is optional)
Protocol TCP
Source LAN net
Source Port any
Destination 192.168.1.5
Destination Port (an alias for port 80, 81, and 443)
I then created a rule to allow access to the servers from NPM
Action Pass
Interface DMZ
TCP/IP Version IPv4+IPv6 (IPv6 is optional)
Protocol TCP
Source 192.168.1.5 (or use an alias which may include the IPv6 address)
Source Port any
Destination 192.168.1.111, 192.168.112, 192.168.113, 192.168.113, 192.168.114
Destination Port WebServerPorts (an alias for port 80 and 443)
I then created a NAT port forwarding rule to allow external network access
Interface WAN
TCP/IP Version IPv4+IPv6 (IPv6 is optional)
Protocol TCP
Source any
Source Port any
Destination WAN address
Destination Port WebServerPorts (an alias for port 80 and 443)
Redirect target IP 192.168.1.5
Redirect target port WebServerPorts (an alias for port 80 and 443)
Filter rule association Add associated filter rule
Any idea what I've done wrong as the domains should be redirected to the internal network but clearly don't.
EDIT****
I've since moved Opnsense from port 443 to 10443 but now the website cannot be reached. It looks like port forwarding isn't working