setup for DNS/WEB Server in DMZ

Started by vikozo, April 27, 2019, 07:39:47 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
April 27, 2019, 07:39:47 AM
Hello

this is the constallation i wish to have.
i host my own DNS/MAIL/WEB Server with ispconfig tool on a virtuell Server

at this time i just do on my Fritzbox a exposed Host configuration to the Server and it works.

now the opnSense box should be between like on the grafic.


Fritzbox WAN IP 80.254.174.229 ISP
----------+-------------------
             |
             |
----------+-------------------
Fritzbox LAN IP 10.18.10.1
----------+-------------------
             |
             |
----------+-------------------
opnSense igb0 IP 10.18.10.2/24 (WAN)
opnSense igb1 IP 10.147.42.1/24 (DMZ)
opnSense igb2 IP 10.18.14.0/24 (LAN)
----------+-------------------
             |
             |
----------+-------------------
DNS/BIND/Web/mail Server
10.147.42.68
------------------------------

AVM did i have to config as exposed Host the opnSense then opnsense have to go further.

how to setup rules to get the DNS Request from outside and then also present the Homepage?

have a nice day
vinc

OPNsense 19.1.6-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
LibreSSL 2.8.3
apu2c4 / wle200nx / 240 Disk --> Firewall | FW-03
---
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
April 27, 2019, 09:38:28 AM #1
Your exposed host on fritzbox just forwards everything to your opnsense. Now you need port forwards on your opnsense to your dmz servers. Firewall:NAT:Port-Forward
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
April 27, 2019, 09:18:49 PM #2
@hbc - thanks for your feedback.

this all should fit to one IP Adress too.

20 - FTP Data
21 - FTP Command
22 - SSH
25 - Email
53 - DNS/Bind
80 - HTTP (Webserver)
110 - POP3 (Email)
143 - Imap (Email)
443 - HTTPS (Secure webserver)
465 - SMTP over SSL
587 - Email Submission
993 - IMAPS (Secure Imap)
995 - POP3S (Secure POPĀ§)
3306 - MySQL Database server
8080 - ISPConfig web interface
8081 - ISPConfig apps vhost
apu2c4 / wle200nx / 240 Disk --> Firewall | FW-03
---
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
April 29, 2019, 11:25:44 PM #3
@hbc - thanks for your feedback.
do i have to do a Nat forward or would it be enough to have Firewall rules on the WAN Port?
or would it be smart to use haproxy?

have a nice day
vinc
apu2c4 / wle200nx / 240 Disk --> Firewall | FW-03
---
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
April 29, 2019, 11:41:05 PM #4
I have a similar setup to you, as long as you are not doing host header (more than one 80/443 site per port) you can just do port forwarding. I need different sub domains going to different machines in the DMZ so will use nginx or haproxy- not sure which atm 😊
April 30, 2019, 07:16:05 AM #5
Quote from: vikozo on April 29, 2019, 11:25:44 PM
@hbc - thanks for your feedback.
do i have to do a Nat forward or would it be enough to have Firewall rules on the WAN Port?
or would it be smart to use haproxy?
For a single server, port forwards and rules are enough. If you want WAF, then you should have a look at nginx.
For loadbalancing haproxy is the better choice.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
April 30, 2019, 08:52:13 AM #6
@hbc
thanks again for your feedback.
today it is only one Server with DNS/MAIL/WEB with 15 Domains and subdomains.

Could you please teach me what is WAF?

nginx, would be installed on the opnSense?

sorry to ask all this question, i just wish to be sure - because when i start to change until it works my mail/Web is not reachable

have a nice day
vinc
apu2c4 / wle200nx / 240 Disk --> Firewall | FW-03
---
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
April 30, 2019, 09:41:17 AM #7
Quote from: vikozo on April 30, 2019, 08:52:13 AM
@hbc
thanks again for your feedback.
today it is only one Server with DNS/MAIL/WEB with 15 Domains and subdomains.

Could you please teach me what is WAF?

nginx, would be installed on the opnSense?

WAF = Web Application Firewall. Allows to filter inside HTTP-Stream and if you terminate SSL on it, even HTTPS.
You have to download and enable NAXSI signatures. Nginx will be installed as reverse proxy on opnsense.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
April 30, 2019, 01:08:55 PM #8
@hbc, thanks for your feedback.
i think i will give another try to use opnSense tonight.

have a nice day
vinc
apu2c4 / wle200nx / 240 Disk --> Firewall | FW-03
---
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
April 30, 2019, 04:16:04 PM #9
What ports do you plan to provide? Above, there are mentionned a lots, which have no need to be presented to the internet.

If you serve also Web- and Mailservices, i propose to install fail2ban on the host, which runs those services.

And as almost mailclients support IMAP4 as of today, i would recommend no longer using the pop3 and pop3s-protocol.

If you really want to server ISP Config to your "customers" (assumption, youre talking of 15 domains), i would definitively use a reverse proxy as haproxy or nginx. Both of them are well documented on the opnsense page.


May 01, 2019, 07:13:50 AM #10 Last Edit: May 01, 2019, 07:17:13 AM by vikozo
Hello
last night i tryied again, in the Fritzbox the WAN Port was configured as Exposed Host.

i did some alias  :D
i did the Firewall Rule on the WAN Port  :)
i did get error and blocking   :(

the Error Block, what i did go trough, and i can't find this "default deny rule"

have a nice day
vinc
apu2c4 / wle200nx / 240 Disk --> Firewall | FW-03
---
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
May 01, 2019, 07:20:18 AM #11 Last Edit: May 01, 2019, 08:08:18 AM by vikozo
@ruggerio
you may be right about the ports - but the problem at this time is the no connection

and yes i will give a try on the nginx as soon i have the first step working.
i think you have be "talking about" https://wiki.opnsense.org/manual/reverse_proxy.html

have a nice day
vinc
apu2c4 / wle200nx / 240 Disk --> Firewall | FW-03
---
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
May 01, 2019, 09:51:57 AM #12
Quote from: vikozo on May 01, 2019, 07:13:50 AM
i did get error and blocking   :(

the Error Block, what i did go trough, and i can't find this "default deny rule"
Everything not explicit allowed is blocked by default. That is default deny rule.

So you missed to allow ports 53,80,443, etc.to your server.
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
May 01, 2019, 10:12:24 AM #13
@hbc
Thanks for your feedback
i did add this 3 ports to the alias ispconfig_public  with other Ports too. show on the printscreen.


and added to the Firewall rules also with printscreen
apu2c4 / wle200nx / 240 Disk --> Firewall | FW-03
---
OPNsense 22.1.6-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
May 01, 2019, 10:22:11 AM #14
You need to Port forward under Firewall -> NAT to the target server. On the incoming interface then (DMZ) you will also have to open the ports, i think.
Print
Go Up Pages1 2
User actions