Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
WAF for Online Website
« previous
next »
Print
Pages: [
1
]
Author
Topic: WAF for Online Website (Read 2505 times)
HamiltonWDS
Newbie
Posts: 10
Karma: 2
WAF for Online Website
«
on:
September 29, 2022, 12:40:47 am »
I am attempting to see of how to implement OPNsense as a WAF in which the target system is an external site and not internal. I have provided a simple diagram to help better explain it.
I have done searches and reviewed of HAProxy and Nginx, but have not been able to crack the puzzle of using another Public IP and not a Private IP, and especially of when the Public IP's are all different from another. So a networking issue I am trying to solve.
So the problem is:
A user types in a domain name (URL), which then goes to the assigned Public IP (ex: 11.11.11.11) from the DNS Records. This IP is the WAF's WAN, from which it exits from another interface (ex: 22.22.22.22) to then go back to the Internet to the client's Public IP. I assume that the WAF will need two Public IP's to support this.
I do understand there are some weaknesses, such as an attacker will discover the client network's IP and bypass the WAF.
So what is the setting or requirements to allow for this work properly?
Example, one WAN and an OPT (or LAN) configured with their own Public IP's, but then is there a 1:1 NAT involved? Or use HAProxy/Nginx with the target IP being the Public IP of the client.
Or is there material that helps to explain this that I have not yet found (And if so... where)?
Logged
lilsense
Hero Member
Posts: 600
Karma: 19
Re: WAF for Online Website
«
Reply #1 on:
September 29, 2022, 03:07:44 pm »
I am not quite sure I understand your question. The only difference between "Public" and "Private" is NAT which you can disable that on OPNsense. My confusion is on the word "Client" which your drawing may be misleading.
Logged
HamiltonWDS
Newbie
Posts: 10
Karma: 2
Re: WAF for Online Website
«
Reply #2 on:
September 30, 2022, 12:07:27 am »
Thank you for the reply.
M'yeah, NAT'ting is the issue for me trying to solve, which if disabled, then would static routes be used?
Outside of that trying to figure of how to pass the traffic from the 11.11.11.11 Interface (in the diagram, from user) to then go out from the 22.22.22.22 interface for its way through the Internet to 33.33.33.33 webserver. As the 33.33.33.33 IP Address is out of the 22.22.22.22 subnet.
I used "Client" to refer to as a remote site, that is not part of the internal or local network. When using the word "remote", majority of the searches lead to "remote access", hence avoid using it. In this case, can replace 'client' with 'remote site'.
If an IPSec tunnel is used, I think would make things easier (and secured) as it would be then a matter of Port Forwarding or Static Routing as the IPSec tunnel would have its own private IP network. Unfortunately, not able to take that option.
Logged
lilsense
Hero Member
Posts: 600
Karma: 19
Re: WAF for Online Website
«
Reply #3 on:
September 30, 2022, 12:51:51 pm »
presuming the user/client on the 11.11.11.11 has that IP, just the the OPNsense for all traffic for that to go through 22.22.22.22.
Logged
HamiltonWDS
Newbie
Posts: 10
Karma: 2
Re: WAF for Online Website
«
Reply #4 on:
October 01, 2022, 12:13:23 am »
I have been able to send traffic, but only with one interface (not ideal for a few reasons).
- Port Forward from WAN (11.11.11.11) from Source: ANY to Destination: WAN Address (11.11.11.11) Port HTTPS, Redirect: 33.33.33.33 Port HTTPS
- NAT Outbound to Hybrid (or manual)
-- Rule set with WAN Interface, Source: ANY, Destination: 33.33.33.33, mapped to WAN Address
But to get it to the Second WAN Interface (22.22.22.22), though it should work similar to above:
- Port Forward, same as above, but Redirect to the Second WAN (22.22.22.22) Port HTTPS
- NAT Outbound similar, but replace First WAN with the Second WAN in both cases.
Logged
lilsense
Hero Member
Posts: 600
Karma: 19
Re: WAF for Online Website
«
Reply #5 on:
October 01, 2022, 06:09:03 pm »
I am sorry, but it makes no sense. I really am not understanding of what you are trying to do.
What I clearly understand is that 11. subnet is inside, 22. subnet is WAN interface and 33. subnet, well, it's just like google.com. Removing/disabling NAT takes care of this issue and enabling Zenarmour solves WAF.
If I am mistaken, please clearly explain what I am missing.
Logged
HamiltonWDS
Newbie
Posts: 10
Karma: 2
Re: WAF for Online Website
«
Reply #6 on:
October 05, 2022, 02:19:09 am »
Ah, perhaps like this:
- WAN1 (11.11.11.11) receives the packets and passes onto WAN2
- WAN2 (22.22.22.22) then sends the packets to the Website
- The Website (33.33.33.33) processes and returns the packets back to WAN2
- WAN2 receives the packets and passes back to WAN1
- WAN1 sends the packets back to the user
I was able to get it working... well, with multiple devices in between, rather than a single firewall. Mush like a Port Forwarding daisy chain with NAT Outbound Rules.
But for two interfaces on the same firewall, I haven't been able to try yet.
But it does look like it is of:
- WAN1 Port Forward to WAN2
(WAN2 will then send the packets to the website on its own, as it has its own Gateway)
- NAT Outbound to Manual, with Rule set:
-- Interface: WAN2, Source: Any, Source Port: Any, Destination: The Website's IP, Dest Port: HTTP (as example), Translation: Default, Trans Port: Default
--- Repeat for any other Ports
At that point there should be no rules needed for the returning packets, as the NAT Outbound would be returning those packets to WAN1.
Does that make sense?
I am hoping to give that a try later in the week.
Logged
lilsense
Hero Member
Posts: 600
Karma: 19
Re: WAF for Online Website
«
Reply #7 on:
October 05, 2022, 11:45:29 am »
If your IP 11.11. and 22.22 are Internet routable then do not use NAT.
Logged
DeeganBerry
Newbie
Posts: 1
Karma: 0
Re: WAF for Online Website
«
Reply #8 on:
November 24, 2022, 10:32:25 pm »
If you’re still looking for a solution, I recommend asking specialists on Fiverr for some help. Actually, it makes more sense than trying to find the answer on the forums. Tbh, I can’t understand what you want to achieve too. I’d be happy to help you if I only understood what you wanted. Btw, have you tried asking for help on Reddit? I know some guys there who could help you. We both work at
apiip.net
, developing an IP detection service. I have known those guys for ages. They are real pros, for sure. Let me know if I should ask them for help with your issue.
«
Last Edit: November 28, 2022, 01:59:27 am by DeeganBerry
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
WAF for Online Website