OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: vikozo on April 27, 2019, 07:39:47 am
-
Hello
this is the constallation i wish to have.
i host my own DNS/MAIL/WEB Server with ispconfig tool on a virtuell Server
at this time i just do on my Fritzbox a exposed Host configuration to the Server and it works.
now the opnSense box should be between like on the grafic.
Fritzbox WAN IP 80.254.174.229 ISP
----------+-------------------
|
|
----------+-------------------
Fritzbox LAN IP 10.18.10.1
----------+-------------------
|
|
----------+-------------------
opnSense igb0 IP 10.18.10.2/24 (WAN)
opnSense igb1 IP 10.147.42.1/24 (DMZ)
opnSense igb2 IP 10.18.14.0/24 (LAN)
----------+-------------------
|
|
----------+-------------------
DNS/BIND/Web/mail Server
10.147.42.68
------------------------------
AVM did i have to config as exposed Host the opnSense then opnsense have to go further.
how to setup rules to get the DNS Request from outside and then also present the Homepage?
have a nice day
vinc
OPNsense 19.1.6-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
LibreSSL 2.8.3
-
Your exposed host on fritzbox just forwards everything to your opnsense. Now you need port forwards on your opnsense to your dmz servers. Firewall:NAT:Port-Forward
-
@hbc - thanks for your feedback.
this all should fit to one IP Adress too.
20 - FTP Data
21 - FTP Command
22 - SSH
25 - Email
53 - DNS/Bind
80 - HTTP (Webserver)
110 - POP3 (Email)
143 - Imap (Email)
443 - HTTPS (Secure webserver)
465 - SMTP over SSL
587 - Email Submission
993 - IMAPS (Secure Imap)
995 - POP3S (Secure POPĀ§)
3306 - MySQL Database server
8080 - ISPConfig web interface
8081 - ISPConfig apps vhost
-
@hbc - thanks for your feedback.
do i have to do a Nat forward or would it be enough to have Firewall rules on the WAN Port?
or would it be smart to use haproxy?
have a nice day
vinc
-
I have a similar setup to you, as long as you are not doing host header (more than one 80/443 site per port) you can just do port forwarding. I need different sub domains going to different machines in the DMZ so will use nginx or haproxy- not sure which atm 😊
-
@hbc - thanks for your feedback.
do i have to do a Nat forward or would it be enough to have Firewall rules on the WAN Port?
or would it be smart to use haproxy?
For a single server, port forwards and rules are enough. If you want WAF, then you should have a look at nginx.
For loadbalancing haproxy is the better choice.
-
@hbc
thanks again for your feedback.
today it is only one Server with DNS/MAIL/WEB with 15 Domains and subdomains.
Could you please teach me what is WAF?
nginx, would be installed on the opnSense?
sorry to ask all this question, i just wish to be sure - because when i start to change until it works my mail/Web is not reachable
have a nice day
vinc
-
@hbc
thanks again for your feedback.
today it is only one Server with DNS/MAIL/WEB with 15 Domains and subdomains.
Could you please teach me what is WAF?
nginx, would be installed on the opnSense?
WAF = Web Application Firewall. Allows to filter inside HTTP-Stream and if you terminate SSL on it, even HTTPS.
You have to download and enable NAXSI signatures. Nginx will be installed as reverse proxy on opnsense.
-
@hbc, thanks for your feedback.
i think i will give another try to use opnSense tonight.
have a nice day
vinc
-
What ports do you plan to provide? Above, there are mentionned a lots, which have no need to be presented to the internet.
If you serve also Web- and Mailservices, i propose to install fail2ban on the host, which runs those services.
And as almost mailclients support IMAP4 as of today, i would recommend no longer using the pop3 and pop3s-protocol.
If you really want to server ISP Config to your "customers" (assumption, youre talking of 15 domains), i would definitively use a reverse proxy as haproxy or nginx. Both of them are well documented on the opnsense page.
-
Hello
last night i tryied again, in the Fritzbox the WAN Port was configured as Exposed Host.
i did some alias :D
i did the Firewall Rule on the WAN Port :)
i did get error and blocking :(
the Error Block, what i did go trough, and i can't find this "default deny rule"
have a nice day
vinc
-
@ruggerio
you may be right about the ports - but the problem at this time is the no connection
and yes i will give a try on the nginx as soon i have the first step working.
i think you have be "talking about" https://wiki.opnsense.org/manual/reverse_proxy.html
have a nice day
vinc
-
i did get error and blocking :(
the Error Block, what i did go trough, and i can't find this "default deny rule"
Everything not explicit allowed is blocked by default. That is default deny rule.
So you missed to allow ports 53,80,443, etc.to your server.
-
@hbc
Thanks for your feedback
i did add this 3 ports to the alias ispconfig_public with other Ports too. show on the printscreen.
(https://wombat3.kozo.ch/j/images/content/FW-03/fw-log-error3.PNG)
and added to the Firewall rules also with printscreen
(https://wombat3.kozo.ch/j/images/content/FW-03/fw-log-error2.PNG)
-
You need to Port forward under Firewall -> NAT to the target server. On the incoming interface then (DMZ) you will also have to open the ports, i think.
-
@ruggerio , i am confuesed :-\ in another post on this forum i did read it is not necessary to use NAT it should be OK just with the rules?! :-\
do i really have to config the same rule on the dmz interface, are you sure??
-
it's been quite a difference for me with pf, as linux with iptables handles those things litte other...
Usually, the firewallrules have to be made per interface. Except LAN, a interface has no rule at all, meaning, that all traffic is blocked. This is why specially the LAN interface has an outgoing/allow any/any rule, so all outgoing traffic is allowed.
I have nearly the same setup as you want to, i had to make all the rules on the dmz-interface, as there was no rule at all, meaning no traffic at all is allowed.
Your rule on the wan port allows just to step into the wan port of the firewall. If you have to redirect to DMZ-Interface, you will also have to open the incoming ports there and enable port forwarding (it might be, that port forwarding also opens the ports on the destination interface, but i am not sure at all).
Your target is on DMZ, not on wan, so you will have to redirect the ports to the target server on the dmz interface.
The rules are on per interface basis executed from top to bottom, whilst the first match stops further examination of the packets. Also, its important to know that it seems the be, that forwarding is done before rule checking, so (abstract example):
Request for Port 25 on WAN: Allowed on WAN-Interface
If Forwarding to DMZ: All traffic on port 25 will be redirected, but no target server specified
If Forwarding to specified target on Port 25 on DMZ-Interface: All traffic from WAN to specified target on Port 25 will be made, but
Request for Port 25 on DMZ: If not allowed, it will be blocked or
Request for port 25 on DMZ; if allowed, it can pass or
Request for port 25 for your target on DMZ: if allowed, it can pass to your target, everything else in DMZ except your target will be denied.
Try it, if i am wrong, let me know, if it resolves your problem, much better. There is just one exception, which i do not use, "fliessende Regeln"...*sigh*
-
Hello
i do feel stupid but - i can't find out how the config have to be to have a traffic flow
wan --> DMZ --> DNS Server and back
wan --> DMZ --> Web Server and back
where the dns and Web server is the same IP, is there no Tutorial?
-
hab ich - jedenfall als NAT Regel ob inbound / outbound?
(https://wombat3.kozo.ch/j/images/0device/fw-03/designWAN-DMZ/03_Firewall-Rules-WAN.png)