OPNsense Forum

Archive => 15.1 Legacy Series => Topic started by: reep on May 14, 2015, 06:14:29 pm

Title: [SOLVED] DMZ setup
Post by: reep on May 14, 2015, 06:14:29 pm

I have been testing Opnsense to replace a couple of Draytek 3300 Wan routers. I do like the system after I got used to things :-)

One thing I cannot see an easy answer for is how to set up a simple DMZ for my server. In the Draytek it is very easy - NAT / DMZ host and add an IP address, but I can't see an 'easy' setting for it in Opnsense - I checked the Wiki and had a search around but couldn't see any answers.

The server itself is viewable both internally from the LAN and externally from the WAN. Maybe I should harden that up a bit and just do port forwarding for the required ports ?

Anyone able to give me some advice please ?

B. Rgds
Title: Re: DMZ setup
Post by: chol on May 15, 2015, 03:46:26 am
Hello John,
very good, that you've put OPNsense on to your machine. It is a very good product and evolving still.

O.K. - I assume that your machine has 3 network interface cards (NICs) -right?

Have you tried Interfaces > (Assign) in the GUI?

After that the NIC should show up in the list of interfaces (OPT1).

Now you can configure it the way you like, give it a new private netwok-range with DHCP server etc.

Hope that helps, if you have further questions, do not hesitate to ask.

Cheers, chol.

P.S.: Please keep in mind, that the more specific you are about your hard-/software situation, the more I am able to actually help/guide you!

Title: Re: DMZ setup
Post by: reep on May 15, 2015, 12:01:01 pm
Hi Chol,

thanks for replying.

Currently installed for testing on a Supermicro Atom (X7SPE-HF) box with 2 network ports plus I am using a Edimax EU-4208 USB ethernet as a 3rd port (which amazingly it found), whilst I wait for a dual port NIC to arrive.

Assigned all the ports and all working as expected as far as I can see.

What I was trying to do was create a DMZ for one internal IP address from one WAN port.

This is very easy on hardware based routers like the Drayteks.

Yes I can see I could do port forwarding, but not an easy way to do a DMZ so guess there must be a different approach to this.

B. Rgds
Title: Re: DMZ setup
Post by: chol on May 15, 2015, 04:18:10 pm
Hello John,
I like your reasonable industrial mainboard, although the intel Atom D525 is a bit older platform, it compares (and should be lightly more performant) with the OPNsense A10 Dual Core 1GHz desktop (https://www.applianceshop.eu/security-appliances/security-appliances-desktop-and-wallmountable/pfsense-based-desktop/opnsense-a10-dual-core-desktop.html). I compared it with my HP proliant dual core Gen8 (see http://www.cpubenchmark.net/compare.php?cmp[]=611&cmp[]=2075&cmp[]=2138) .

Also I liked your hint, that this info is whatv is neede on the documentation wiki handbook. And I will do the things outlined below the next days, probably as early as Saturday night or Sunday. Thank you for the input :)

Now! Back to your problem!
Yes, I admit, the OPNsense GUI is impressive with all the menu items and sub-sub-menus - at first. It inherits this structure from its predecessor pfSense, though(do not blame them, it is just a huge list of features to configure).

Off cause it is more difficult to sipp through and to implement, what one simply wants the shiny set-up OPNsense machine to do!

We are aware of this and are going to establish a free & open documentation, and our developers are working hard with an enormous dedication -step by step- to transition this knoted legacy issue to a more maintainable structured, and more secure front- and back-end, according to a defined MCV model (you can look it up at [https://wiki.opnsense.org/index.php/Architecture]).

I am not completely sure, what you intend to do. However, the cue words DMZ and port forward give me a hint.
You might want one of the three things, that come to mind:

#1)  1:1 NAT => concerning external traffic to your OPNsense (LAN or DMZ)
#2)  Static route => concerning two different WANs ("internet" and "ext. firm-site via dedicated line" or "LAN of story 10 with all the storage,VoIP or whatever" )
#3)  Outbound NAT rule => expanded port-forward concept, concerning traffic from DMZ or LAN to the outside (deviating FTP [from DMZ] and SSH [from LAN] for example)

It is a little difficult to guide you completely theoretically here, I had to sipp through the GUI a lot myself, but I hope one solution will eventually help you.

..1) 1:1 NAT
 You want a 1:1 NAT solution, if you want to route traffic from the outside (WAN, internet) to a single internal machine/network via a (virtual) network adapter (NIC).

In your browser based OPNsense web-GUI you go to
Firewall > Virtual IPs > ⊗ Add

.. to add a new virtual IP address.
*Type : Proxy ARP
*Interface: WAN
*IP Addresses : Single address or network
*Description: any fitting description
*Save & Apply

After this pre-config, go to ..
Firewall > Nat > 1:1  ⊗ Add rule

*Interface : WAN
*External subnet IP : type in the external subnet (like = businessXY not over internet) or public IP address
*Internal IP : Type : any
*Destination  : Type : single host or alias (or Network)
*Add description
*NAT reflection : disable
*Save & Apply

Conclusion: Now all TCP/IP traffic from a specified exterenal source (IP, subnet) will be forwarded to the specified internat IP address or subnet - this is one of the many deployments of OPNsenses Virtual IP feature.

..2) Static route 
This is for a solution, if you want to reach two WAN networks (or one WAN=internet and one LAN in the building accross your firms courtyard with the financial stuff or via dedicated line in an other city-district)  - hope you get the concept here :)

In this scenario we dedicate an entire NIC to be the portal to the specified network (WAN,LAN,DMZ whatever you call it) besides our standard WAN which would be connected to the internet in most scenarios.

Go to ..
System > Routing > ⊗ Add gateway
*Interface : selcet your appropriate interface NIC (WAN2, OPT1, DMZ, or whatever == has to be activated prior via Interfaces > (Assign) !!)
*Name : specify one single word w/o spaces or special fancy characters
*Gateway : type in the IP address of the gateway (in the proper sense of the term!) of that specified network (WAN,LAN,DMZ whatever you call it). It should be a valid network address within the network associated to your selected NIC (WAN,LAN,DMZ, Opt1 whatever you call it)
*Add description
*Save & Apply chanages

Now, go to...
System > Routing > Routes > ⊗ Add
*Destination network : enter IP of desination network (like
*Gateway : choose the GW defined above
* Add description : like static route to...
*Save & Apply chanages

..3) Outbound NAT rule 
You want the Outbound NAT rule as an expanded port-forward concept, concerning traffic from DMZ or LAN to the outside (deviating FTP [from DMZ] and SSH [from LAN] for example)

I am not sure if this is for you it should help if you want deviate special TCP/IP protocolls to different NICs, direction of view: from your machine (also if reacting from outside requests) to outside destinations (WAN internet). In essence it combines the two solutions from above: 1:1 NAT rule with outbound NAT rule.

Got to ...
Firewall > Virtual IPs > Virtual IPs > ⊗ Add
.. to add a new virtual IP address.
*Type : Proxy ARP
*Interface: WAN
*IP Addresses : Single address or network
*Description: any fitting description
*Save & Apply

After this pre-config, go to ..
Firewall > Nat > Outbound
*Mode : Automatic outbound NAT rule generation
(IPsec passthrough included)
* Save
*Mappings: select the  ⊗ at the outmost right side next to Description
*Interface : choos e the appropriate NIC
*Source : Type : any
*Destination : Address : the IP address of the server that will be querried
* Translation : Adress : Interface address
* Translation :  Port : specify the port of your service
* Description : like outbound NAT to server xy and service port z
*Save & Apply

Thats it, hope that helps. Let me know if you need any further help.
Cheers Chol.

Title: Re: DMZ setup
Post by: reep on May 17, 2015, 11:19:02 pm
Thanks Chol,

yes the box/board is not the latest and greatest but will probably work fine for me here as I don't have many users or much traffic. It's also low power and quiet :-)

In my main office I have a DL360G5 to play with..... noisy little beast and probably overkill for the job but will be perfectly adequate again.

I have a server that runs my mail, some simple web stuff plus local file storage. In the past I have set it on a DMZ for the external services, but in reality this is probably not the best thing to do for security.

I think the 1to1 mapping is probably what I am looking at as a direct replacement - all external inbound traffic forwarded to one IP address. However as I want the Opnsense box to run my VPNs I note that it says :

"If you add a 1:1 NAT entry for any of the interface IPs on this system, it will make this system inaccessible on that IP address. i.e. if you use your WAN IP address, any services on this system (IPsec, OpenVPN server, etc.) using the WAN IP address will no longer function. "

So in my case I may be better to use port forwarding for just the ports the server requires for external access.

I'll go have a play :-)

B. Rgds
Title: Re: DMZ setup
Post by: chol on May 18, 2015, 11:39:57 am
if you like, please consider to make some pictures of your hardware setup and give some basic details, about how many users and such.. and upload it to our docu-wiki. I plan to have a hardware section showing users hardware solutions and setups.  :)
Title: Re: DMZ setup
Post by: balnaimi on October 01, 2015, 01:08:11 am

check this link

Configuring a DMZ