[SOLVED] Valid setup for several virtual machines with a web server in a DMZ

[Tecuma]

Hello community,

I am using OPNsense 21.7.7 on a pcengines apu2d4.

I have an ESXi Server in the DMz with several virtual machines. On these virtual machines I run apache web server.
Each virtual machine has a private IPv4 and a public IPv6 address.

I have the following configuration to access these web servers.
- All virtual machines are in an alias WEB
NAT - WAN
- I have one Port forward for http / tcp / IPv6  port 80 / Redirect target IP: WEB
- I have one Port forward for http / tcp / IPv6  port 443  / Redirect target IP: WEB
RULES - WAN
- I have one rule for http / tcp / IPv6  port 80 / Destination: WEB
- I have one rule for http / tcp / IPv6  port 443  / Destination: WEB

I started with one web server and everything is fine.
When the 2nd web server comes in I observse some strange things with using certbot to get an ssl certificate. From the outside it seems that sometimes the 1st web server is answering.

On the DNS for my domain (at my domain provider) I have a default entry which has the 1st virtual machine as target.

Is this the correct setup for this usage?
If this is not the correct setup how can I configure my firewall to have several web servers on different systems with different IPs?

Best regards

--Christian

[zerwes]

Hello Christian

I have an ESXi Server in the DMZ...

First of all, I hope this is just a descriptive error. The Dom0 server should never be in the DMZ, just the VMs its hosts.
The Hypervisor itself should be located in a management network only.

All virtual machines are in an alias WEB
...
Redirect target IP: WEB

As the description text states, the redirect target should be a IP. You can use a alias here, but this should map to a single IP, not a list of hosts.
You can redirect only to one target IP.
Hope this helps.

[Tecuma]

@zerwes

Thank you for your reply.

I have no port left on the firewall to have a separate management network. I will consider this when I buy my next firewall system with more lan ports.

If the port forwarding is only to one IP what other possibility do I have so I can use several systems with the same port?

[zerwes]

I have no port left on the firewall to have a separate management network.

You can use VLAN tagging if you have just one physical port. You mostly will have more networks then physical ports, so this should be something you dive in ...

If the port forwarding is only to one IP what other possibility do I have so I can use several systems with the same port?

If you have multiple WAN IPs, you can use a  mapping of WANIP/Port per internal server.
If you have just one, you can use different ports on the WAN IP (i.e. 443->srv1,8443->srv2etc.) or multiple domains with apache vhost config for example and so on.

[Tecuma]

Thank you for the information.

I am using a public ipv4 lan segment with no access from the outside in the DMZ for management tasks. I will check vlans but a new box with more ports makes more sense to me.

I have a /64 IPv6 segment with public ip addresses for the DMZ. On the WAN interface I have one public IPv4 address.

[Tecuma]

As I still want to use NAT and multiple VMs with similar services I guess I have to use a reverse proxy.

[zerwes]

if you just want to use ipv6 in the VMs you can use one of your /64 IPV6 addresses per VM (direct assigned or via port forwarding)
for diverting access depending on the domain name / virtual host name you can use haproxy (you can have a single host or multiple per backend)

[Tecuma]

Thanks for the hint about haproxy. I will test this one.