Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - an_ipmc

Pages1
#1
22.1 Legacy Series / Re: request for help with: single public IP, a bridge, two opensense-fw VM > VMs
February 12, 2022, 03:50:27 PM
I don`t understand why you`re using a bridge at all. So this is just guesswork.

Maybe the problem is here: [ public IP #1 ]-[ eth0 ] -> [bridge]-[public IP #2] -> [ opnsenseVM]

Your Eth0 is the physical interface attached to opnsense VMS.
There is no need to use any routed interface on your VM host since your opnsense firewall/VM is the network default gateway.

Maybe you`re using the bridge interface  for VM host management... but:

It would be best if you were controlling/filtering all of your traffic by using your Firewall -> This is a security best practice and also a global collaboration for the interwebz hygiene:)
Configure your firewall to filter it all, and use some VPN (Wireguard is your friend) for more secure/controlled management access.

In guesswork mode, I would exec the configuration this way:

1 - Configure dedicated VM host interwebz interface as WAN on opnsense VMs with RFC 1918 IPs ( 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 ) - Don't forget to go to Opnsense GUI and deselect the box that blocks private networks cause you`re using them for your setup with carp to work

2 - Go to Opnsense GUI -> Interfaces -> Settings -> Virtual IPs and Configure a CARP Interface with your first Public IP.

3 - Go to Opnsense GUI -> Interfaces -> Settings -> Virtual IPs and Configure your second Public IP as an IP Alias of your WAN Interface and select your WAN interface CARP VHID

4 - Configure your LAN/Opt interfaces

5 - Run a tcpdump on your WAN/Lan interfaces to confirm traffic is flowing

6 - Setup a Wireguard VPN for VMHost Management

7 - Create your Aliases/PortForward/NAT/Firewall Rules to redirect services to the correct LAN Hosts/Targets
#2
22.1 Legacy Series / Re: request for help with: single public IP, a bridge, two opensense-fw VM > VMs
February 11, 2022, 03:59:37 PM
Hello.


From what i could understand from your question, with a single server and not manageable switch i would go this way:

1 - Public IP/ISP-Network Equip -> Dedicated NIC/Vswitch on your VMHost

2 - Opnsense/Firewall VMs
-> One virtual nic attached/connected to the dedicated NIC/Vswitch on your VMHost
( They would be your WAN interface on both VMhosts, for HA you can use RFC 1918 IPs and do a CARP with your public IP so you can get hardware high availability)
-> One or more virtual nic attached to your lan(s)/opt(s) that need internal routing/internet access

3 - For the DNS/PortForwardSsh/NAT/Whatever stuff with different ports/destination hosts, you gonna need to create alias and nat/firewall rules according to your requirements.
PF/Opnsense can do it all.
Take a look at: https://docs.opnsense.org/manual/nat.html
                      https://www.openbsd.org/faq/pf/nat.html

Make sure your firewall is the default gateway for the hosts/vms the nat rule is pointing traffic, or it will not work.

Since you`re exposing services/ports to the interwebz, some kind of ip banlist is recommended for some extra/added security:

https://docs.opnsense.org/manual/how-tos/edrop.html



Pages1