OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: infinite.state on November 12, 2022, 11:32:13 am
-
Hi all,
My end goal is to protect a web server. OPNSense has been given two NICs, one in a WAN network, the other in the LAN network. The WAN allows the external internet connectivity, the LAN network contains the web server. Each network has its own gateways defined.
I'm struggling to configure OPNSense NAT port forwarding across this network configuration.
The PFSense debug doco (there doesn't appear to be similar for OPNSense) says the firewall needs to be the gateway for the receiving host in the LAN. Is that also true OPNSense? I've not had to do that for other firewalls like Fortigate, and I'd rather not change the underlying network definition.
Logging in the firewall appears to show successful communication from external > WAN > LAN > web server, but the host never sees any traffic.
I can successfully curl the receiving host in the LAN from the firewall.
Any suggestions or further debug I should do?
Thanks.
-
The return packets from your web server never hit OPNsense because they go back the "wrong" way.
You either have to double NAT (Internet -> Internal -> LAN) so that the inbound packets appear to come from a LAN IP or set up a reverse proxy so they do come from a LAN IP.
Bart...
-
Thanks for the reply @bartjsmit.
Sounds like the double NAT is probably the best way to go.
Is there some OPNSense specific documentation or video you can recommend for such?
This should be quite common in cloud environments where the firewall is spread across VPCs using multiple NICs.
-
Actually double NAT is generally recognised as A Bad Thing (TM) since it breaks a whole raft of protocols. The most secure solution is to separate out the web service and run it on a DMZ so you can best control the traffic.
Have you looked at a Cloudflare tunnel? That will also give you free (at least for now) DDoS protection and a TLS certificate. This video is a good guide: https://www.youtube.com/watch?v=hrwoKO7LMzk
Bart...
-
Hi all,
My end goal is to protect a web server. OPNSense has been given two NICs, one in a WAN network, the other in the LAN network. The WAN allows the external internet connectivity, the LAN network contains the web server. Each network has its own gateways defined.
I'm struggling to configure OPNSense NAT port forwarding across this network configuration.
The PFSense debug doco (there doesn't appear to be similar for OPNSense) says the firewall needs to be the gateway for the receiving host in the LAN. Is that also true OPNSense? I've not had to do that for other firewalls like Fortigate, and I'd rather not change the underlying network definition.
Logging in the firewall appears to show successful communication from external > WAN > LAN > web server, but the host never sees any traffic.
I can successfully curl the receiving host in the LAN from the firewall.
Any suggestions or further debug I should do?
Thanks.
What exactly does "each have their own gateways" mean?
Of course they both have their own gateways, every network does. Are you saying you're using a different gateway just for that server?
The WAN gateway will be your ISP, the LAN gateway will be your router.
If you're setting a different gateway for the server, where is it?
-
Thanks for the cloudflare suggestion @bartjsmit. It's interesting but I'm sure there should be a more straight forward solution before considering that path.
Hi @Demusman, I'm just confirming that I don't have an unusual network configuration. At least I hope so!
The OPNSense firewall is a Virtual instance within a google cloud environment. So the ISP (WAN) is VPC1 with its gateway and NIC1 of the firewall. The "router" (LAN) is VPC2 containing the second gateway, NIC2 of the firewall, and the web server.
Is there a trick to configuring OPNSense in this scenario?
-
Perhaps a diagram would help.
I've attached a basic picture of the environment I'm trying to service.
Note that the OPNSense VM box is spread across the two networks to represent the box running in network 1 but also having NIC2 in network 2.
Hope that triggers some more thoughts on how to configure OPNSense in this scenario.
Thanks.