Topics

1

General Discussion / IPsec VPN Lan Isolation

« on: May 18, 2019, 12:05:07 am »

I really kind of new to IPsec VPN tunnels, as-in I've only setup one. I have the tunnel setup and Phase 1 & 2 show all good and connected.

The question I now have is can I isolate all traffic going over this VPN to one Lan that I created just for it. I'll refer to it as the VPN-Lan. I have one VM computer on the VPN-Lan and I can on it. The VPN-Lan has its own network all by itself.

The remote subnet I'm using for Phase-2 is 10.0.0.8/8, and the local subnet is 192.168.41.0/24 (VPN-Lan)

I'm just not sure how or what the rules would need to be. I did notice that under Rules there is now an IPsec connection. So I don't know if I should edit it or edit the rules for the VPN-Lan.

Other notes we do have an SSL VPN setup as well for a remote users and it seems to work fine.

2

General Discussion / NAT Reflection for Web Servers

« on: April 02, 2019, 11:31:15 pm »

I have a few webserver on a DMZ that I have setup with OPNsense. Everything works find from outside the LAN-1 however internally we are not able to access these servers. I am using Port Forwarding not 1-to-1.

Looking around online it seems a simple enough task to turn on NAT reflection: FIREWALL > SETTINGS > ADVANCED > Network Address Translation enabling the following settings.

ENABLED - Reflection for port forwards
ENABLED - Reflection for 1:1  (Even though I’m not using 1:1)
ENABLED - Automatic outbound NAT for Reflection

Each of the sites have a Static IP with ports 80, 443 forwarded to the internal servers IP on the DMZ-1.

NAT Forward Rules look like this:
^Source
IF: WAN1
PROTO: TCP
ADDRESS: *
PORTS: *

^Destination
ADDRESS: PUBLIC-WAN IP: 99.88.77.66
PORTS: 80,443 (Created as an Aliases)

^NAT
IP: INTERNAL SERVER IP: 192.168.10.10 (Created as an Aliases)
PORTS: 80,443 (Created as an Aliases)

All other settings are default. NAT reflection uses System Default, Filter rule association uses Rule NAT: Site-1 (The info from the rules description).

Even though I have NAT reflection enabled nothing seems to help if I’m on the internal LAN-1 network. I tried enabling NAT reflection in the individual rule but still nothing. So, I’m kinda stumped. I can see everything from outside but nothing from inside.

One thing I have had happen is if I try to go to one of the sites using the url (From LAN-1) the port 8443 is added to the end, which then loads to be the logon page for OPNsense. So, I am wondering if there is a firewall rule I need to edit?

My setup also uses two different internet sources. So, there is a multi-gateway setup for fail over. But this does not seem to affect the external to internal DMZ-1 traffic, nor can I reach the OPNsense interface from outside when testing.

I’m really liking OPNsense and I know its just lack knowledge that is the issue. I have tried referencing some pfsense articles but even still I’ve had no luck figuring this one out.

3

General Discussion / LAN x DMZ design with one firewall or two?

« on: March 15, 2019, 06:27:28 pm »

Hello o/ first post here. I'm looking for some insight on a network design. Let me first say that I am not a network, hardware, system engineer or any of that. So please forgive an ill use of terminology. While this is not my forte I do have the internet and I can read so we work with what we have.

There is however a lot of conjecture on the internet. Since I have recently been somewhat thrown into a position that requires me to assume the role of a network administrator and engineer I am looking for is some input on how the network we have is setup and if there is a better way to deal with it then what I am currently planning.

As of right now we have 2 separate networks, with 2 different firewalls. One for the DMZ and one for the office LAN. The DMZ plays host to about 6 different servers, some web servers, some other. All hosted in VMware ESX across 3 deferent hosts. Networked to the DMZ switch (LAN Switch is separate) then through the firewall. All the servers on the DMZ port forwarded through the firewall by way of their external static IP.

The part that is worrisome to me and why I am attempting to change and rock the boat is there all on the same DMZ LAN. IE: Server1 = 192.168.20.11, Server2 =192.168.20.12, Server2 =192.168.20.13 etc. All are on the same vlan and can see each other ping etc. Nothing is stopping them from communicating amongst themselves, they are not but could.

So as of now here is a rough idea of how things go:
wtf1.shft.com(Static Public IP: 123.1.1.1) > [FIREWALL:Port forward 443] > Server1_192.168.20.11
wtf2.shft.com(Static Public IP: 123.1.1.2) > [FIREWALL:Port forward 443] > Server1_192.168.20.12
wtf3.shft.com(Static Public IP: 123.1.1.3) > [FIREWALL:Port forward 443] > Server1_192.168.20.13

I guess the real question I have is would I be better to have two networks each with there own firewall or two networks with one firewall? I tried to do up a simple version of whats in my head and what I planned on implementing to try and get the server own there on and not all on the same vlan and subnet.

While separate I planned on using something like DMZ-1=192.168.10.XXX, DMZ-2=192.168.20.XXX, I know there separate but logically in my head it helps not to confuse them if there different.

I would greatly a appreciate and input or suggestions. If you have any question from me, I’m sure some clarification will be needed, and I will answer to the best of my abilities.

Thanks, in advanced. 

https://pasteboard.co/I5yC2al.png