Topics

Good morning Everyone,
I have MS 2016 Server in my LAN, and two CentOS 7, web- servers in the DMZ, both are identically configured, and with very simple, test- web- page showing some identification. Both web- pages are accessible from the LAN's server, and I intentionally, for testing purposes, have configured what is shown on the browser to be different -  the one with ip - 192.168.125.200 shows at its end _2, and the one with 192.168.125.204 - _1. The both web- pages accessed by their ip- addresses are showing what is expected.
I did the simplest possible configuration into HA-Proxy in my OPNsense- firewall, and attached the screenshots of it. When I try to access from the LAN, the DMZ- interface on the firewall - 192.168.125.254:8080, it is showing the first web- page, when I refresh, I expect to see the other one (I am using Round-Robin) but it doesn't do it. I tried to configure the "public service" in HA-Proxy with 127.0.0.1:8080, and then with 0.0.0.0:8080 too, and it doesn't show anything on the browser then.
To be sure all is done properly, temporarily I have installed into the DMZ a third web- server, installed, and configured HA-Proxy on it (basically the same settings as with the OPNSense one) and there was no problem to "round-robin" thru the back-end web- servers as expected.
Could you, please help me to resolve the issue into HA- Proxy with the OPNSense ? I feel, that I am maybe doing something wrong with the "public service" setup.
Thanks, and Best,
rickey

Good morning Everyone,
I couldn't find a similar one to the topic I am starting so I apologize if a repetition occur.
I am trying to join an MS Win 10 from my DMZ to an AD- server (MS Server 2016) into my LAN.
I did a research, and the port listed into the attachment are the ones that supposed to be opened but I think, I still miss something because I am still not able to join the domain.
Can you, please give a hand with this issue ?
Best,
rickey

Hello Everyone,
I hope All is doing well !

Please, see the attached image for a small infrastructure with two firewalls.
There is an "external" firewall - fw1, and "internal" one - fw2.

On fw1's e1- interface is configured as opt1, and e0, as wan. There is also a lan- interface on fw1 (lan1) but for simplicity it is not shown on the diagram.
The wan1 ip- address on fw1's e0 is not the real one, and just implies that it is connected to the public net.
A range of 192.0.2.0/30 is used between fw1, and fw2.
On fw1's e1- interface icmp, dns (tcp, and udp), http, and https rules are configured, and a static route to 192.168.1.0/24 thru 192.0.2.2 is done too.

On fw2's e0- interface is configured as wan, and e1 is configured as lan.
On fw2/e0 a static route to 1.1.1.0/24 thru 192.168.1.1 is configured too.

From "Interfaces"-"Diagnostic"-"Ping" of fw2's wan (e0) I am able to ping google.com (the reply is ok from 8.8.8.8).
From "Interfaces"-"Diagnostic"-"Ping" of fw2's lan (e1) I am able to ping google.com, and 8.8.8.8 (the reply is OK from 127.0.0.1).

From pc1, when I try to ping google.com, or 8.8.8.8 there is no reply (very strange because the dig google.com from the same pc1 is working perfectly !) - Could you give a hand with this, please ? The OS is Pop!_OS, and ufw is stopped, and disabled. No firewalld, and iptables presented, and I just ask the Pop!_OS community and they have confirmed that nothing else should block the ping by default. There is no Proxies enabled on neither firewalls, and pc1 ...
I ahve an additional question for the static route on fw2 - Does 0.0.0.0/0 as destination network, instead of 1.1.1.0/24 will work ?

Thanks, and Regards,

rick

Hello Everyone,
I hope all is OK with you, and you are healthy, and safe !
In VirtualBox I created an OPNsense- firewall with LAN, and DMZ, both using Host-Only- adapters (so to be able to remote (SSH) from my Host- PC into LAN, and DMZ easily). My WAN has Bridged- adapter and accepting its IP- address from my home- network's DHCP. The VirtuaBox' DHCPs on LAN, and DMZ are stopped, and are configured on the Firewall so any dynamically configured client- pc to take an ip- address automatically. I have also a small web- server with a simple test- page into the DMZ. After adding PAT:8888, and Rules for ICM, :53, :80, and :443 on the Firewall, I am able to access from my Host by http://WAN:8888 the web page into the DMZ'z web- server, and to access, and ping Internet- web- pages from the DMZ.
I needed to isolate more my WAN so I have changed the VirtualBox' WAN interface from Bridged to Host-Only adapter too, but for it I left the DHCP- server of the VirtualBox active (it doesn't provide a Default Gateway, and DNS). I have changed all other Firewall' settings accordingly. I started a MS Win 10 Virtual PC with the same Host-Only interface as the WAN, and I am still able to access from it the web- page into the DMZ by http://WAN:8888 (with the new WAN- address of course). I am able to ping from the DMZ the WAN IP, but I am not able to ping from the DMZ the IP of Win 10 PC (its firewall is stopped).
Could you give some hand, what might be the issue here, please?
Thanks, and Best,
rickey

Hello Everyone!

I am doing a small home project with a second LAN protected by a second, internal firewall (# 2).
The DMZ will be used for a "honey- pot/net".
There will be also "Management VLAN" working within the networks, and having no Internet.
The DNS resolution indeed is done by couple caching DNSes installed as bind into a cloud provider. All the local resolvers will forward the DNS- requests to the cloud ones. There are ACLs applied there so only designated IP- addresses are allowed to query. This part already is finished, and works fine with the vpn, proxy, tor, pihole, etc.

1. The major question is how to configure the interfaces, and network between the two firewalls?
I red part of the book about OPNsense, and the author was using for the labs the 192.0.2.0/24 (reserved for documentation). Most similar configurations, I have seen up to now indeed are using DMZ- ports, and public IP- addresses between the firewalls.
I am not really sure that I need to use the above range, and how to configure interface "e2" on "opnsense1" - as "second wan", or "second lan" ? Same applies for "GigabitEthernet0\0" on "opnsense2"?
How to configures the Rules, Routing, and NAT afterwards on both firewalls so the "internal" firewall to have the Internet "passed thru", and basically just that... (some DNS too) ?
For inter- subnet communication that cannot be avoided I will use vpn.

2. Overall I am also not really sure how the concept of "second LAN" is working on OPNsense so to act like the "initially installed LAN" into it - Do I create it, and then just copy the same pre- installed rules as into the original one ? If there is a "shortcut"- way to do it ?

3. If so, and if I go a little bit further, how to configure additional "management network" that supposed to be "blind" to Internet, and "works" with all crucial devices on all networks (it will be the only interface to access the web- interfaces of the firewalls too) - My guess is just to create "additional LAN" interfaces on the firewalls, and remove all rules but the anti-lookout one ?
The rest is easy - just create the same vlan on all switches, connect all needed devices thru their designated "management ports" and it is done.

Please, tell me what do you think from overall perspective, and how to resolve the particular questions if you think the "general plan" is basically ok :)

The Schema is attached.

Thank you very much for your kind help!

Best Regards,

Rick