Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
setup for DNS/WEB Server in DMZ
« previous
next »
Print
Pages:
1
[
2
]
Author
Topic: setup for DNS/WEB Server in DMZ (Read 14542 times)
vikozo
Full Member
Posts: 211
Karma: 5
Re: setup for DNS/WEB Server in DMZ
«
Reply #15 on:
May 01, 2019, 10:28:39 am »
@ruggerio , i am confuesed
in another post on this forum i did read it is not necessary to use NAT it should be OK just with the rules?!
do i really have to config the same rule on the dmz interface, are you sure??
Logged
apu2c4 / wle200nx / 240 Disk
--> Firewall | FW-03
---
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
ruggerio
Sr. Member
Posts: 295
Karma: 11
Re: setup for DNS/WEB Server in DMZ
«
Reply #16 on:
May 01, 2019, 06:39:57 pm »
it's been quite a difference for me with pf, as linux with iptables handles those things litte other...
Usually, the firewallrules have to be made per interface. Except LAN, a interface has no rule at all, meaning, that all traffic is blocked. This is why specially the LAN interface has an outgoing/allow any/any rule, so all outgoing traffic is allowed.
I have nearly the same setup as you want to, i had to make all the rules on the dmz-interface, as there was no rule at all, meaning no traffic at all is allowed.
Your rule on the wan port allows just to step into the wan port of the firewall. If you have to redirect to DMZ-Interface, you will also have to open the incoming ports there and enable port forwarding (it might be, that port forwarding also opens the ports on the destination interface, but i am not sure at all).
Your target is on DMZ, not on wan, so you will have to redirect the ports to the target server on the dmz interface.
The rules are on per interface basis executed from top to bottom, whilst the first match stops further examination of the packets. Also, its important to know that it seems the be, that forwarding is done before rule checking, so (abstract example):
Request for Port 25 on WAN: Allowed on WAN-Interface
If Forwarding to DMZ: All traffic on port 25 will be redirected, but no target server specified
If Forwarding to specified target on Port 25 on DMZ-Interface: All traffic from WAN to specified target on Port 25 will be made, but
Request for Port 25 on DMZ: If not allowed, it will be blocked or
Request for port 25 on DMZ; if allowed, it can pass or
Request for port 25 for your target on DMZ: if allowed, it can pass to your target, everything else in DMZ except your target will be denied.
Try it, if i am wrong, let me know, if it resolves your problem, much better. There is just one exception, which i do not use, "fliessende Regeln"...*sigh*
Logged
vikozo
Full Member
Posts: 211
Karma: 5
Re: setup for DNS/WEB Server in DMZ
«
Reply #17 on:
May 06, 2019, 09:41:51 am »
Hello
i do feel stupid but - i can't find out how the config have to be to have a traffic flow
wan --> DMZ --> DNS Server and back
wan --> DMZ --> Web Server and back
where the dns and Web server is the same IP, is there no Tutorial?
Logged
apu2c4 / wle200nx / 240 Disk
--> Firewall | FW-03
---
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
vikozo
Full Member
Posts: 211
Karma: 5
Re: setup for DNS/WEB Server in DMZ
«
Reply #18 on:
May 06, 2019, 09:55:56 am »
hab ich - jedenfall als NAT Regel ob inbound / outbound?
Logged
apu2c4 / wle200nx / 240 Disk
--> Firewall | FW-03
---
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
Print
Pages:
1
[
2
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
setup for DNS/WEB Server in DMZ