OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: nfguide on June 07, 2018, 06:18:45 am

Title: LAN to DMZ NAT
Post by: nfguide on June 07, 2018, 06:18:45 am
So, it is appearing that I am really mentally and technically challenged OR making this more difficult than necessary.  Likely a combo of both.  Spent lots of time Googling for answers, reviewing the documentation, and perusing the forums here.  And I am at a loss.

Here is what I would like to achieve.
1.)  Serve website(s) from DMZ host.
2.)  Use ssh and scp from LAN host to DMZ host(s)
3.)  All normal traffic from LAN to WAN is currently working

Setup - opnsense
WAN - dhcp
LAN - 192.168.100.67/24
DMZ - 192.168.20.2/24

Hosts
web1  - 192.168.20.110/24 GW 192.168.20.2 - vmware client on VMware workstation 10
web2 - 192.168.20.112/24 GW 192.168.20.2 - vmware client on VMware workstation 10

VMware workstation 10 running on Server 2008, NIC IP 192.168.20.70/24 GW 192.168.20.1


First off, what/how needs to be configured to get web served to WAN from web1 host in DMZ?

Second, what/how needs to be configured to allow/get ssh access from LAN host to web1 host in DMZ?

ANY and all assistance or pointers to documentation, please provide as I will be happy to read and follow up.

Thanks in advance,
Neil
Title: Re: LAN to DMZ NAT
Post by: nfguide on June 12, 2018, 12:32:13 am
Bump
Title: Re: LAN to DMZ NAT
Post by: marjohn56 on June 12, 2018, 10:32:25 am
Do you have multiple WAN IPs?


If not, how are you proposing to differentiate between the two webservers from the WAN side?
Title: Re: LAN to DMZ NAT
Post by: hutiucip on June 12, 2018, 11:03:38 am
Quote
First off, what/how needs to be configured to get web served to WAN from web1 host in DMZ?

Make a NAT rule on WAN interface for 80 and 443 to internal IP of web1 server, with the setting for "Add associated FW rule" ON.

Quote
Second, what/how needs to be configured to allow/get ssh access from LAN host to web1 host in DMZ?

Make a FW rule on LAN interface to allow port 22 traffic from LAN (or particular IP of the LAN host) to DMZ (or particular IP of the web1 host).

For the case you want both web1 and web2 servers accessible from WAN you would need ha-proxy, set to differentiate traffic for those two web servers based on url/ domain address (or you could use two different public IP addresses, if available). Of course, for the forst case, based on URL/ domain name, you would also need a public DNS record set for your wan IP(s).

Good luck!
Cheers!