setup for DNS/WEB Server in DMZ

[vikozo]

Hello

this is the constallation i wish to have.
i host my own DNS/MAIL/WEB Server with ispconfig tool on a virtuell Server

at this time i just do on my Fritzbox a exposed Host configuration to the Server and it works.

now the opnSense box should be between like on the grafic.


Fritzbox WAN IP 80.254.174.229 ISP
----------+-------------------
             |
             |
----------+-------------------
Fritzbox LAN IP 10.18.10.1
----------+-------------------
             |
             |
----------+-------------------
opnSense igb0 IP 10.18.10.2/24 (WAN)
opnSense igb1 IP 10.147.42.1/24 (DMZ)
opnSense igb2 IP 10.18.14.0/24 (LAN)
----------+-------------------
             |
             |
----------+-------------------
DNS/BIND/Web/mail Server
10.147.42.68
------------------------------

AVM did i have to config as exposed Host the opnSense then opnsense have to go further.

how to setup rules to get the DNS Request from outside and then also present the Homepage?

have a nice day
vinc

OPNsense 19.1.6-amd64
FreeBSD 11.2-RELEASE-p9-HBSD
LibreSSL 2.8.3

[hbc]

Your exposed host on fritzbox just forwards everything to your opnsense. Now you need port forwards on your opnsense to your dmz servers. Firewall:NAT:Port-Forward

[vikozo]

@hbc - thanks for your feedback.

this all should fit to one IP Adress too.

20 - FTP Data
21 - FTP Command
22 - SSH
25 - Email
53 - DNS/Bind
80 - HTTP (Webserver)
110 - POP3 (Email)
143 - Imap (Email)
443 - HTTPS (Secure webserver)
465 - SMTP over SSL
587 - Email Submission
993 - IMAPS (Secure Imap)
995 - POP3S (Secure POP§)
3306 - MySQL Database server
8080 - ISPConfig web interface
8081 - ISPConfig apps vhost

[vikozo]

@hbc - thanks for your feedback.
do i have to do a Nat forward or would it be enough to have Firewall rules on the WAN Port?
or would it be smart to use haproxy?

have a nice day
vinc

[ursus]

I have a similar setup to you, as long as you are not doing host header (more than one 80/443 site per port) you can just do port forwarding. I need different sub domains going to different machines in the DMZ so will use nginx or haproxy- not sure which atm 😊

[hbc]

@hbc - thanks for your feedback.
do i have to do a Nat forward or would it be enough to have Firewall rules on the WAN Port?
or would it be smart to use haproxy?

For a single server, port forwards and rules are enough. If you want WAF, then you should have a look at nginx.
For loadbalancing haproxy is the better choice.

[vikozo]

@hbc
thanks again for your feedback.
today it is only one Server with DNS/MAIL/WEB with 15 Domains and subdomains.

Could you please teach me what is WAF?

nginx, would be installed on the opnSense?

sorry to ask all this question, i just wish to be sure - because when i start to change until it works my mail/Web is not reachable

have a nice day
vinc

[hbc]

@hbc
thanks again for your feedback.
today it is only one Server with DNS/MAIL/WEB with 15 Domains and subdomains.

Could you please teach me what is WAF?

nginx, would be installed on the opnSense?

WAF = Web Application Firewall. Allows to filter inside HTTP-Stream and if you terminate SSL on it, even HTTPS.
You have to download and enable NAXSI signatures. Nginx will be installed as reverse proxy on opnsense.

[vikozo]

@hbc, thanks for your feedback.
i think i will give another try to use opnSense tonight.

have a nice day
vinc

[ruggerio]

What ports do you plan to provide? Above, there are mentionned a lots, which have no need to be presented to the internet.

If you serve also Web- and Mailservices, i propose to install fail2ban on the host, which runs those services.

And as almost mailclients support IMAP4 as of today, i would recommend no longer using the pop3 and pop3s-protocol.

If you really want to server ISP Config to your "customers" (assumption, youre talking of 15 domains), i would definitively use a reverse proxy as haproxy or nginx. Both of them are well documented on the opnsense page.

[vikozo]

Hello
last night i tryied again, in the Fritzbox the WAN Port was configured as Exposed Host.

i did some alias 
i did the Firewall Rule on the WAN Port 
i did get error and blocking   

the Error Block, what i did go trough, and i can't find this "default deny rule"

have a nice day
vinc

[vikozo]

@ruggerio
you may be right about the ports - but the problem at this time is the no connection

and yes i will give a try on the nginx as soon i have the first step working.
i think you have be "talking about" https://wiki.opnsense.org/manual/reverse_proxy.html

have a nice day
vinc

[hbc]

i did get error and blocking   

the Error Block, what i did go trough, and i can't find this "default deny rule"

Everything not explicit allowed is blocked by default. That is default deny rule.

So you missed to allow ports 53,80,443, etc.to your server.

[vikozo]

@hbc
Thanks for your feedback
i did add this 3 ports to the alias ispconfig_public  with other Ports too. show on the printscreen.


and added to the Firewall rules also with printscreen

[ruggerio]

You need to Port forward under Firewall -> NAT to the target server. On the incoming interface then (DMZ) you will also have to open the ports, i think.