English Forums > General Discussion
WAF for Online Website
HamiltonWDS:
I am attempting to see of how to implement OPNsense as a WAF in which the target system is an external site and not internal. I have provided a simple diagram to help better explain it.
I have done searches and reviewed of HAProxy and Nginx, but have not been able to crack the puzzle of using another Public IP and not a Private IP, and especially of when the Public IP's are all different from another. So a networking issue I am trying to solve.
So the problem is:
A user types in a domain name (URL), which then goes to the assigned Public IP (ex: 11.11.11.11) from the DNS Records. This IP is the WAF's WAN, from which it exits from another interface (ex: 22.22.22.22) to then go back to the Internet to the client's Public IP. I assume that the WAF will need two Public IP's to support this.
I do understand there are some weaknesses, such as an attacker will discover the client network's IP and bypass the WAF.
So what is the setting or requirements to allow for this work properly?
Example, one WAN and an OPT (or LAN) configured with their own Public IP's, but then is there a 1:1 NAT involved? Or use HAProxy/Nginx with the target IP being the Public IP of the client.
Or is there material that helps to explain this that I have not yet found (And if so... where)?
lilsense:
I am not quite sure I understand your question. The only difference between "Public" and "Private" is NAT which you can disable that on OPNsense. My confusion is on the word "Client" which your drawing may be misleading.
HamiltonWDS:
Thank you for the reply.
M'yeah, NAT'ting is the issue for me trying to solve, which if disabled, then would static routes be used?
Outside of that trying to figure of how to pass the traffic from the 11.11.11.11 Interface (in the diagram, from user) to then go out from the 22.22.22.22 interface for its way through the Internet to 33.33.33.33 webserver. As the 33.33.33.33 IP Address is out of the 22.22.22.22 subnet.
I used "Client" to refer to as a remote site, that is not part of the internal or local network. When using the word "remote", majority of the searches lead to "remote access", hence avoid using it. In this case, can replace 'client' with 'remote site'.
If an IPSec tunnel is used, I think would make things easier (and secured) as it would be then a matter of Port Forwarding or Static Routing as the IPSec tunnel would have its own private IP network. Unfortunately, not able to take that option.
lilsense:
presuming the user/client on the 11.11.11.11 has that IP, just the the OPNsense for all traffic for that to go through 22.22.22.22.
HamiltonWDS:
I have been able to send traffic, but only with one interface (not ideal for a few reasons).
- Port Forward from WAN (11.11.11.11) from Source: ANY to Destination: WAN Address (11.11.11.11) Port HTTPS, Redirect: 33.33.33.33 Port HTTPS
- NAT Outbound to Hybrid (or manual)
-- Rule set with WAN Interface, Source: ANY, Destination: 33.33.33.33, mapped to WAN Address
But to get it to the Second WAN Interface (22.22.22.22), though it should work similar to above:
- Port Forward, same as above, but Redirect to the Second WAN (22.22.22.22) Port HTTPS
- NAT Outbound similar, but replace First WAN with the Second WAN in both cases.
Navigation
[0] Message Index
[#] Next page
Go to full version