OPNsense Forum
Archive => 18.1 Legacy Series => Topic started by: Linx on July 04, 2018, 05:30:31 am
-
First post, please go easy on me. ;D
I've found myself in a situation that I really don't like and really don't want to do, but for a long list of reasons that aren't worth getting into, I find myself (practically) forced to run a public web server from my home. I've always considered this an extremely bad idea from a security standpoint - having personal computers and public servers on the same network, even if they are on different subnets. It just bothers me.
Nevertheless, I really need to do this thing, and I need to make it as secure as possible. I have a box with 2 NICs that I've been using as a firewall/router on pretty much the default OPNSense 18.1.11 configuration for some time now. Everything on my home network is on a Class C subnet with 192.168.1.x addresses. My master plan is to add a 3rd NIC and create a Class A 10.x subnet for my web server, but I'm not there yet. Right now I just need to get the port forwarding figured out and get everything functional, and then I'll go buy the extra NIC and set up the subnet and try to secure it. I need to figure out what I'm doing and get this thing working first.
So I have a box that I've set up with CentOS 7 to act as the server, and right now it's sitting at 192.168.1.199 on my network. I've set up the server and opened the ports on it, and I can access the test Apache web page from within the LAN by going to http://192.168.1.199. All good there, I know the server works.
Then I followed this post https://forum.opnsense.org/index.php?topic=6155.0 (https://forum.opnsense.org/index.php?topic=6155.0) to the letter. My domain is set to redirect to my public IP address, but it looks like the packets are getting dropped somehow. It's not being rejected, just timing out. I've looked at the logs, but I'm not seeing anything that jumps out at me.
What's the best way to tell what's happening to those packets?
Also, if anyone has any bigger picture advice on how to do this, I'm open to advice. ;D
-
Under System->Settings->Logging, tick the boxes to log packers from default block and default pass and apply.
Under Firewall->rules, enable logging on the rules you have created.
Have a look at the Firewall->Log Files->Live view and try accessing the web server from the WAN and see what shows up.
p.s. you did do as instructed and change the admin webserver port?
-
Thanks for the reply.
The logging boxes were already checked for default rules, so I didn't make any changes there. Also, I haven't created anything under Firewall --> Rules, just the host and port aliases and the port forwarding under Firewall --> NAT as directed in the guide I followed. Do I need something under Rules? The server port is 8443.
When I look at the live logging, nothing really jumps out at me. I was getting a "block ipv6 bogon" which I suspected might be because I was behind the firewall trying to connect out and back in, so I disabled "Block bogon networks" on the WAN interface. Not sure why it would be on ipv6, either, since I'm using ipv4, but disabling that stopped it. I also get the odd default deny hit, but nothing that looks like http traffic. The WAN traffic I see being blocked is not coming in on 80 or 443. It's odd ports like 3394.
I'm almost starting to think there may be an issue with the way the DNS is being redirected. I've been hosting the domain on a paid server, so I set up a redirect to my public IP using cPanel Zone Editor and a class A address record. That should work, right?
-
Just in the interest of thoroughness, I reset the router to default settings and started over to make sure there were no wonky settings I wasn't aware of, and as I was working through the guide I do see where there is a box to "Add associated filter rule" at the end. I think I did this before, but I'm not completely sure. At any rate, it's done now, but nothing has changed.
What information could I provide to help pin this down?
-
The easiest way of checking whether it's a DNS issue is to try using the WAN IP address itself. So from your mobile phone ( not on your own WiFi! ) or another device outside of your network, try connecting and see what appears in the rules logging. Try both port 80 and 443. You should see something hitting the firewall, either allowed or rejected.
-
Gah, I should have thought of that. Too much Fourth of July beer this week, I guess. 8)
Ok, so that works. It seems that my problem is resolving and accessing the domain from within the LAN, and that sets up kind of a new issue. Due to the way the license key for the site code works, I have to access the site through the domain name and not the IP address, so I can't just http over to 192.168.1.199 to admin the site. I need to figure out how to resolve the domain name and make it look like I'm coming in from an outside network. I tried an entry in /etc/hosts on my client Linux box, and that seems to be working well enough, but I really need to access the site from a variety of platforms including tablets and phones, so that could get unwieldy fast. Is there a way I can set this up in OPNSense to avoid platform-specific changes?
-
Easiest method is to use Services->Unbound->Overrides.
Here's an example from my own system for my mail server.
(https://preview.ibb.co/d149Uy/Capture.png) (https://ibb.co/iHRdNJ)
You need to make sure that your LAN clients are using the DNS of the firewall, and not calling WAN DNS servers directly, that should have been set up in your DHCP server setup.
Once you have done this, you should be fine.