OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: ruggerio on March 20, 2018, 07:32:15 am

Title: Firewall Rulesets: NAT / DMZ / Portforwarding
Post by: ruggerio on March 20, 2018, 07:32:15 am
Hi,

I have one single Server on the DMZ-Interface. I want to get Some Ports (eg. 80,443) forwarded to this.

So, i created a NAT-Portfforwading rule:

Interface: WAN
Target: Wan Adress
Target Ports : 80,443
Redirect Target IP: [IP of my Webserver]
Redirect Target Ports: 80,443

This created an automted rule on WAN:

Source: any
Source port: any
Target:  [IP of my Webserver]
Target Ports: 80,443


As this "Server" is in the DMZ, i created a rule on the DMZ-Network, to allow Access to my webserver.

Question: is the rule on the dmz-interface really needed? on the WAN-Interface, traffic for the ports for my webserver is allowed.

In iptables (yes, i know...) i would also have to set an allow-rule for that Interface.


Thx,
Roger
Title: Re: Firewall Rulesets: NAT / DMZ / Portforwarding
Post by: hutiucip on March 20, 2018, 12:33:58 pm
Quote
As this "Server" is in the DMZ, i created a rule on the DMZ-Network, to allow Access to my webserver.

Or you can use NAT reflection if you need to access this webserver also from LAN.

Quote
Question: is the rule on the dmz-interface really needed? on the WAN-Interface, traffic for the ports for my webserver is allowed.

Only if you need http(s) access to the server from LAN too, and you don't use NAT reflection (see upon).
Title: Re: Firewall Rulesets: NAT / DMZ / Portforwarding
Post by: hutiucip on March 20, 2018, 12:43:05 pm
It might help you if you imagine yourself as a policeman standing in the middle of an intersection:

Policeman - the router making routing decisions
Junction/ Intersection - The router equipment, as a whole.
Roads - NICs (Network Interface Cards)/ Connections themselves.
Cars - Data Packets

Make each rule following the ”from where - getting in by which road - getting out by which road - to where” way of thinking, and most of the time you would have no problems in setting up your router.
Title: Re: Firewall Rulesets: NAT / DMZ / Portforwarding
Post by: ruggerio on March 20, 2018, 12:59:25 pm
Hi Hitiucip,

Thanks for both eplanations, now thats quite clear! The policmen in my case is the dmz-interface, which stops or allows the traffic to that "Zone".

Roger
Title: Re: Firewall Rulesets: NAT / DMZ / Portforwarding
Post by: hutiucip on March 20, 2018, 03:24:22 pm
You are the policeman! ALWAYS!(!) :)

Named "dmz-interface" is a road, one of the many you have getting into your intersection (meaning, "router"). ;)
Title: Re: Firewall Rulesets: NAT / DMZ / Portforwarding
Post by: ruggerio on March 20, 2018, 04:10:04 pm
Thanks a lot :)