Re: routing with DMZ between internal and external firewall
On Mon, 16 Mar 2020 09:49:30 +0100 pebwindkraft wrote: > Hi, > > I have a question concerning static routes and default gateways for a > DMZ setup, with internal and external firewall. > ... > What would be the correct design? > Can I use "only" the ext_fw with a static route, so that packages > from DNS would travel twice through DMZ net (from DNS to ext_fw, and > then from ext_fw via int_fw back to int_pc)? > > The information I found on misc@ and internet is usually talking > about "home router" with NAT and three network cards, where one leg > supplies the DMZ... Mine is different, and I think I do not need NAT > here? Hi, I have similar setup. Being on public IP space, I treat my DMZ as "Internet", meaning private IP addresses, either from Internet or from internal network, must not be able to contact it. So, I NAT everything from internal network to DMZ, which results in DNS & http seing requestes from em1, and not from internal network. Should you need more information don't hesitate to ask. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
Re: routing with DMZ between internal and external firewall
On Mon, Mar 16, 2020 at 09:49:30AM +0100, pebwindkraft wrote:
> Hi,
>
> I have a question concerning static routes and default gateways for a DMZ
> setup, with internal and external firewall.
> A DNS in the DMZ shall be used from internal machines, and later a http
> proxy from internal and external machines.
> The setup is within a network of a bigger data centre with it's own edge
> router. I cannot change anything on this edge router.
> I am using OpenBSD 6.6, and ip forwarding is activated on both firewalls.
> Here an ASCII pic (for better viewing also here:
> https://ln2.sync.com/dl/9da92f730/wrzi9rse-xh9sqzed-cst55auv-y39rkrwj):
>
> || |-| |-| /-\
> | int_pc |---| int_fw |---| ext_fw |---| Data Center |---> Internet
> || |em0 em1| | |em0 em1| | Edge Router |
> |-| | |-| \-/
> |
> ||
> | DNS & http |
> ||
>
> Setup of default routes:
> int_pc -> IP address of em0 on int_fw
> int_fw -> IP address of em0 on ext_fw
> DNS -> IP address of em0 on ext_fw
> ext_fw -> IP address of external interface
>
> Without any firewall rules (pfctl -d), I observe:
>
> 1.) I cannot ping from int_pc to DNS, and vice versa.
> 2.) I cannot ping from int_pc to em0 on ext_fw
>
> I can observe with tcpdump, that ping echo request leaves int_pc, goes
> through int_fw and reaches the network card of DNS or em0 on ext_fw. As the
> default route of DNS is pointing to ext_fw, the ping echo reply is sent to
> ext_fw, which doesn't know what to do with the IP address of int_pc, and
> ignores the package. I get this.
> So I can set a static route on the DNS or on the external firewall, like
> this
>
> route add -inet {network of int_pc} {IP address of em1 on int_fw}
>
> and then pinging back and forth works.
> But setting static routes on all DMZ machines and ext_fw seems doesn't seem
> right to me(?).
>
> What would be the correct design?
> Can I use "only" the ext_fw with a static route, so that packages from DNS
> would travel twice through DMZ net (from DNS to ext_fw, and then from ext_fw
> via int_fw back to int_pc)?
>
> The information I found on misc@ and internet is usually talking about "home
> router" with NAT and three network cards, where one leg supplies the DMZ...
> Mine is different, and I think I do not need NAT here?
>
You need to add routes for your internal network on ext_fw and on the DNS
box. They need to know that those networks are reachable via int_fw. These
routes are more specific and will make sure that the traffic has a path
back to int_pc.
--
:wq Claudio
routing with DMZ between internal and external firewall
Hi,
I have a question concerning static routes and default gateways for a
DMZ setup, with internal and external firewall.
A DNS in the DMZ shall be used from internal machines, and later a http
proxy from internal and external machines.
The setup is within a network of a bigger data centre with it's own edge
router. I cannot change anything on this edge router.
I am using OpenBSD 6.6, and ip forwarding is activated on both firewalls.
Here an ASCII pic (for better viewing also here:
https://ln2.sync.com/dl/9da92f730/wrzi9rse-xh9sqzed-cst55auv-y39rkrwj):
|| |-| |-| /-\
| int_pc |---| int_fw |---| ext_fw |---| Data Center |---> Internet
|| |em0 em1| | |em0 em1| | Edge Router |
|-| | |-| \-/
|
||
| DNS & http |
||
Setup of default routes:
int_pc -> IP address of em0 on int_fw
int_fw -> IP address of em0 on ext_fw
DNS -> IP address of em0 on ext_fw
ext_fw -> IP address of external interface
Without any firewall rules (pfctl -d), I observe:
1.) I cannot ping from int_pc to DNS, and vice versa.
2.) I cannot ping from int_pc to em0 on ext_fw
I can observe with tcpdump, that ping echo request leaves int_pc, goes
through int_fw and reaches the network card of DNS or em0 on ext_fw. As
the default route of DNS is pointing to ext_fw, the ping echo reply is
sent to ext_fw, which doesn't know what to do with the IP address of
int_pc, and ignores the package. I get this.
So I can set a static route on the DNS or on the external firewall, like
this
route add -inet {network of int_pc} {IP address of em1 on int_fw}
and then pinging back and forth works.
But setting static routes on all DMZ machines and ext_fw seems doesn't
seem right to me(?).
What would be the correct design?
Can I use "only" the ext_fw with a static route, so that packages from
DNS would travel twice through DMZ net (from DNS to ext_fw, and then
from ext_fw via int_fw back to int_pc)?
The information I found on misc@ and internet is usually talking about
"home router" with NAT and three network cards, where one leg supplies
the DMZ... Mine is different, and I think I do not need NAT here?
thx
