Re: routing with DMZ between internal and external firewall
On Mon, 16 Mar 2020 09:49:30 +0100 pebwindkraft wrote: > Hi, > > I have a question concerning static routes and default gateways for a > DMZ setup, with internal and external firewall. > ... > What would be the correct design? > Can I use "only" the ext_fw with a static route, so that packages > from DNS would travel twice through DMZ net (from DNS to ext_fw, and > then from ext_fw via int_fw back to int_pc)? > > The information I found on misc@ and internet is usually talking > about "home router" with NAT and three network cards, where one leg > supplies the DMZ... Mine is different, and I think I do not need NAT > here? Hi, I have similar setup. Being on public IP space, I treat my DMZ as "Internet", meaning private IP addresses, either from Internet or from internal network, must not be able to contact it. So, I NAT everything from internal network to DMZ, which results in DNS & http seing requestes from em1, and not from internal network. Should you need more information don't hesitate to ask. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: routing with DMZ between internal and external firewall
On Mon, Mar 16, 2020 at 09:49:30AM +0100, pebwindkraft wrote: > Hi, > > I have a question concerning static routes and default gateways for a DMZ > setup, with internal and external firewall. > A DNS in the DMZ shall be used from internal machines, and later a http > proxy from internal and external machines. > The setup is within a network of a bigger data centre with it's own edge > router. I cannot change anything on this edge router. > I am using OpenBSD 6.6, and ip forwarding is activated on both firewalls. > Here an ASCII pic (for better viewing also here: > https://ln2.sync.com/dl/9da92f730/wrzi9rse-xh9sqzed-cst55auv-y39rkrwj): > > || |-| |-| /-\ > | int_pc |---| int_fw |---| ext_fw |---| Data Center |---> Internet > || |em0 em1| | |em0 em1| | Edge Router | > |-| | |-| \-/ > | > || > | DNS & http | > || > > Setup of default routes: > int_pc -> IP address of em0 on int_fw > int_fw -> IP address of em0 on ext_fw > DNS -> IP address of em0 on ext_fw > ext_fw -> IP address of external interface > > Without any firewall rules (pfctl -d), I observe: > > 1.) I cannot ping from int_pc to DNS, and vice versa. > 2.) I cannot ping from int_pc to em0 on ext_fw > > I can observe with tcpdump, that ping echo request leaves int_pc, goes > through int_fw and reaches the network card of DNS or em0 on ext_fw. As the > default route of DNS is pointing to ext_fw, the ping echo reply is sent to > ext_fw, which doesn't know what to do with the IP address of int_pc, and > ignores the package. I get this. > So I can set a static route on the DNS or on the external firewall, like > this > > route add -inet {network of int_pc} {IP address of em1 on int_fw} > > and then pinging back and forth works. > But setting static routes on all DMZ machines and ext_fw seems doesn't seem > right to me(?). > > What would be the correct design? > Can I use "only" the ext_fw with a static route, so that packages from DNS > would travel twice through DMZ net (from DNS to ext_fw, and then from ext_fw > via int_fw back to int_pc)? > > The information I found on misc@ and internet is usually talking about "home > router" with NAT and three network cards, where one leg supplies the DMZ... > Mine is different, and I think I do not need NAT here? > You need to add routes for your internal network on ext_fw and on the DNS box. They need to know that those networks are reachable via int_fw. These routes are more specific and will make sure that the traffic has a path back to int_pc. -- :wq Claudio
routing with DMZ between internal and external firewall
Hi, I have a question concerning static routes and default gateways for a DMZ setup, with internal and external firewall. A DNS in the DMZ shall be used from internal machines, and later a http proxy from internal and external machines. The setup is within a network of a bigger data centre with it's own edge router. I cannot change anything on this edge router. I am using OpenBSD 6.6, and ip forwarding is activated on both firewalls. Here an ASCII pic (for better viewing also here: https://ln2.sync.com/dl/9da92f730/wrzi9rse-xh9sqzed-cst55auv-y39rkrwj): || |-| |-| /-\ | int_pc |---| int_fw |---| ext_fw |---| Data Center |---> Internet || |em0 em1| | |em0 em1| | Edge Router | |-| | |-| \-/ | || | DNS & http | || Setup of default routes: int_pc -> IP address of em0 on int_fw int_fw -> IP address of em0 on ext_fw DNS -> IP address of em0 on ext_fw ext_fw -> IP address of external interface Without any firewall rules (pfctl -d), I observe: 1.) I cannot ping from int_pc to DNS, and vice versa. 2.) I cannot ping from int_pc to em0 on ext_fw I can observe with tcpdump, that ping echo request leaves int_pc, goes through int_fw and reaches the network card of DNS or em0 on ext_fw. As the default route of DNS is pointing to ext_fw, the ping echo reply is sent to ext_fw, which doesn't know what to do with the IP address of int_pc, and ignores the package. I get this. So I can set a static route on the DNS or on the external firewall, like this route add -inet {network of int_pc} {IP address of em1 on int_fw} and then pinging back and forth works. But setting static routes on all DMZ machines and ext_fw seems doesn't seem right to me(?). What would be the correct design? Can I use "only" the ext_fw with a static route, so that packages from DNS would travel twice through DMZ net (from DNS to ext_fw, and then from ext_fw via int_fw back to int_pc)? The information I found on misc@ and internet is usually talking about "home router" with NAT and three network cards, where one leg supplies the DMZ... Mine is different, and I think I do not need NAT here? thx