Public ip behind firewall

NethServer Version: 7.7.1908
Module: cockpit , firewall , network

hey all
i wonder how i can set this up
so lets first explain the layout a little bit

i want to use NethServer as a hardware firewall
so you got the Firewall -> switch -> differend nodes ( vm hosts ) -> vm ( vps )

now i want to have a public ip on the VM ( also the nodes got a public ip )
i do not want to mess around with port forwarding to a private ip , as the vm’s need a public ip ( webservers )

the firewall is mainly used against certain attacks like port flooding and for traffic shaping
not to block ports , as all ports need to be open

can this be done with NethServer ,and how can i do this ?
i readed somewhere about bridging, but got no idea how to set that up ( 2 interfaces ? briding to one 1 ? )

Thank you
Greets from PowerChaos

Bridging invalidates the purpose of the firewall. I think the magic word here is reverse proxy and have every webserver a private IP address.

Thank you
but thats not what i want

i got 1 uplink and 1 switch
connected to 4 servers with 4 public ip’s and proxmox on it
those are hosting vm’s with public ip’ and also with private ip’s

the firewall need to get betwean the uplink and the switch , but can not block access to all the public ip’s from the 4 servers and the vm’s on the servers

so if brdiging beats teh purpose of the firewall (bypassing it ) , what other way is there then to set it up so my vm’s ( vps servers ) can still keep there public ip ?
i gave webhosting as example , but it is not only webhosting that are on the vm’s , some of them got gameservers , others got windows ( remote desktop ) , others got linux and vnc, others got shoutcasting , so a lot of ports change all the time and a lot of ports are the same on differend ip’s

so just using a private range and forward all to a private range is really time consuming

so i was looking for a way like sonicwall has ( splice L3 subnet option )
or is that the same as bridging ?

Greets from PowerChaos

@PowerChaos

Hi

As I understand it, you’re looking for a 1:1 sort of arangement, not the usual 1:N .
I do use NethServer a lot, and also Proxmox. But for firewalling I’d suggest using OPNsense, it’s a fork of PFsense, which was itself a fork of M0n0wall.
That is fully OpenSource, no licenses involved, is quick to setup on hardware or a Proxmox as a VM.

OPNsense can easily do what you need, forward 4 IPs to four boxes 1:1…

But actually, a 1:1 NAT forwarding four public IPs to four private IPs is often done.
It saves a lot of trouble, when you need more IPs, and your provider assigns you a different range…
No servers need to be reconfigured, just the firewall…

My 2 cents
Andy

ok thank you
i will look for that

but my main problem is , with proxmox i got a automated system , it auto assign ip’s from a pool by creation of a vm

then i also got my internal network ( ilo , isolib , switch , Ceph … ) that contians differend private ip’s

most ip’s are staticly assigned
i also got a trial system setup that have dhcp and only a outgoing connnection ( as it is for testing , not to abuse or host stuff on )

public_powerchaos.png1382×622 127 KB

as you can see on the image , the part where the webserver is is the public ip assignment path
the firewall need to come betwean WAN <-> switch

new vm’s are on the same way as the webserver

Greets from PowerChaos

@PowerChaos

I think you’ll rather like what the OPNsense can do. The forum isn’t as good as here, but the Device/Software rocks.

I’m a longtime SonicWall user myself, and in the process of moving a major SonicWall installation with Hardware Failover over to OPNsense.

OPNsense isn’t based on Linux, it’s got BSD underneath.
But the WebGUI is all you need, and it can handle everything you might need.
Even Provider-Failover, Hardware-Failover (Two Firewalls with a Heartbeat connection & CARP).
The Failover can be real Hardware, virtualized Hardware or a mix of both…

It can also easily handle a combination of IPsec and OpenVPN VPNs…

My 2 cents
Andy

ok thank you, i will check it out later today and do a few test runs on a vm
just like the VPN i have now ( it is nethserver )

Greets from PowerChaos

@PowerChaos

OK, have fun!

Grab the DVD Image for Proxmox installation, it starts up as a live system. Log in with installer (PW opnsense) and set it up on a Proxmox disk (2/4 core CPU, 2 GB RAM, 20 GB Disk more than enough). For SD or USB based Hardware, use the nano image.

Installing a SonicWall on Proxmox or VMWare ain’t an option…

I you have any questions, drop me a PM…

Don’t get me mistaken, I love NethServer and use it for 20+ clients (SMEs) in Switzerland and elsewhere. But it’s my AD, FileServer, MailServer, NextCloud and Zabbix monitoring. I don’t want the server to also do firewalling / routing…

Some of my networks are as complicated as yours, some even more…

My 2 cents
Andy

Just out of curiousity, any particular reason you recommend OPNsense over pfSense?

THANK YOU!

@robb

Hi Robb

I really think the forum here, the people “on board” and the whole package: hard to beat!
This NethServer simply rocks!

I try to give back to the community what i can, and here’s the best place!

A honest complement!

My 2 cents
Andy

Hi

Just got home after an emergency case at a doctors running NethServer. No, the NethServer wasn’t the problem, the MS-SQL behind the doctors App needed some tuning, and that’s running on a Windows box as a member server in NethServers AD…

As to why OPNsense instead of PFsense, I do have several reasons.

1. OPNsense’s policy is more like NethServers. Sure you can buy their hardware, but the community version is the same thing as the commercial!

2. PFsense tended - before going commercial - to put everything on a firewall. I don’t see why a firewall would need stuff like a webserver. That’s better placed behind the firewall on a server like NethServer.

3. I admit preferring a dedicated firewall. A box doing nothing else but firewalling and routing. No AD on it, no virtualizations or anything funky.

I also don’t really trust stuff from a company that started out making connections, instead of disrupting them - like a certain well known Modem Company…

There are basically two policys:
UNIX/Linux: Keep everything shut, open only what’s needed. If anything gets forgetten, it’s not open!
Windows: Keep everything open, close down what you don’t need. Everybody’s a real firewall expert, that’s why all holes are still open, so is the barn door…

Add this (Wikipedia https://en.wikipedia.org/wiki/PfSense) :

In November 2017, a World Intellectual Property Organization panel found that Netgate, the copyright holder of pfSense, had been using the domain opnsense.com in bad faith to discredit OPNsense, a competing open source firewall forked from pfSense. It compelled Netgate to transfer the domain to Deciso, the developer of OPNsense.

The german wiki includes the lame excuse Netgate gave:

Die Netgate-Partei versuchte, sich auf die Fair-Use-Klausel zu berufen und behauptete, dass der Domainname “für eine Parodie-Website verwendet wurde”; dies wurde mit der Begründung abgelehnt, dass die Meinungsfreiheit die Registrierung von Domainnamen nicht abdeckt.

My 2 cents
Andy

How does this differ from pfSense?

When has pfSense incorporated a webserver for anything other than its own web GUI (which, of course, OPNSense also does)?

What does pfSense do with AD or virtualization?

Call me dense, but I don’t see what this has to do with the question. Your answers make me suspect you’re thinking of a different product than pfSense.

Now, one reason I’d completely understand is the hissy fit ESF threw when OPNSense forked (which I see you’ve now edited your post to address). See, e.g., https://web.archive.org/web/20160314132836/http://www.opnsense.com/#section-53 - but I’d advise against opening that link at work.

@danb35

For a while after forking from M0n0wall, the pfsense really included almost everything you wanted which FreeBSD can do.
I was a M0n0wall user since 2003…
And Manual Kaspar endorses OPNsense, not pfSense…

See the Webpage of pfsense, way more commercial links than opnsense’s simple shop (Which i admit looks crappy there…) I use this official store: https://www.applianceshop.eu (They actually sell both!)

You’re right, this is a sidekick at ZyWall…

Sometimes, when writing posts, the small edit window makes you overlook some stuff - either mentally or physically…

My 2 cents
Andy

ok i got my test vps online
but i already have some nice problems

after setting 2 nics , one public and 1 lan
the lan gateway does not work

to explain it
i currently use a vpn to acces the local network , opnsense use the lan gateway so my vpn can connect to opnsense

it also use the public gateway so i can connect external to it and have internet on it

now only the public gateway get used … and it disable the lan gateway
so i need to choose , public or private to acces it
but both is not working

any reason why it does it this way ? and refuse to use both gateways on differend nics ?

if i do not configure or enable the public gateway the local gateway works fine , but if i enable the public gateway the local gateway is offline

Greets from PowerChaos

@PowerChaos

Hi

Just to make sure i understand your setup right:

You have a vps (Proxmox?) with 2 interfaces, one setup as public and one as lan.

Is that correct so far?

One big misconception: A box (host / server / pc / router) has only ONE Default Gateway!
Even if several NICs are available, only one gets the Default Gateway.
The Default Gateway is, by definition, always pointing in the direction of the next bigger network, usually the internet…

So don’t put in a gateway for every interface!

Another important question: Does your hosting provider give you console access directly to your vps?

Andy

Just for your information, NethServer supports sNAT1:1. I’m not proposing anything, you’re already in good expert hands.

eum
my vpn can only access my local network if the gateway is on 10.0.0.1 , else it can not route to the local network ( or i need to use SSH tunneling ) , atleast not from the nethserver vps

with nethserver i do not have that problem , ( vpn is on 192 range , lan on 10.0 range and new created vps servers are on 172 range )

also my setup contains 3 nics
1 lan , 1 wan and 1 virtual ( for dhcp )

i try to create the vpn setup you can see in my image

but in the end , it will only contains 2 interfaces
1 to lan ,and 1 to wan, as it will sit betwean the uplink and the switch

@dnutan if i use Snat1:1 then i can provide my test vps a public ip and acces it after also adding NAT and port forwarding ( 1 - 65335 port range )
but so far Snat do not allow static assigned public ip adresses

my main goal is to use static assigned public ip adresses
same as i do now , but then that there is just a firewall betwean it so it can protect from differend kind of attacks like synflood and others
but not for port blocking ( standard open , instead closed ) , so i can block ports if needed
and in the end , the vps servers with public ip need to take care of there own firewall if they want ports blocked

at current moment the switch i use got some build in protection ( dos protection)

DoS Defend
DoS Protection:

DoS Defend Config

Land Attack:
Scan SYNFIN:
Xmascan:
NULL Scan:
SYN sPort less 1024:
Blat Attack:
Ping Flooding:
SYN/SYN-ACK Flooding:
WinNuke Attack:

so not sure eather if the firewall can provide any extra services as i am not looking at a port blocking feature as main goal ( thats where you got your firewall for on your vps )

if not , then there is no reason to even try to get this working if the switch blocks the attacks that the firewall also do
for refference , this is my switch
https://emulator.tp-link.com/t1700g-28tq-un-v3/index.html

Greets from PowerChaos

Hi

KISS = Keep it simple, smarty!

I’d prefer one box to do any rules or regulations, and not have ANY firewalling on any other gadgets or other servers - they are in a protected network where no one just plugs in a notebook…

As you can see, troubleshooting gets complicated - potentially!

In your case, too many masters who can each block something. Disable all of that stuff, and get your network working as you want, then block off stuff!

Even if you just want a firewall for blocking stuff like synflood or others, you’ll still need to pass through ports through the firewall, even if it’s something “global”, like Ports 1-65535 pass…
And that would have to be for all 4 IPs in your setup.

My 2 cents
Andy

now i am confused
i try to keep it simple

so my setup exist of the following
it is located in a datacenter
1 uplink to switch
3 connections from switch to a node

1 public ip assigned to the node for remote acces ( and web based novnc console )
few other things setup on there for Ceph and HA and communication betwean the 4 nodes

every node is in a cluster , so no mather where i create a vps on , it works on all of them
as the network is just a bridge ( virtual bridge ) to the vps servers ( virtual machines )

so i get the following layout
uplink -> switch -> node --> vps
uiplink is gateway for internet
switch just switch to the right ports and vlan
node contains public ip for remote access ( and novnc console )
vps contains public ip as stand alone ( webserver for example ) but move freely betwean the 4 nodes (cluster + HA + Ceph )
Cluster/HA/Ceph use a 10Gbit network on local ip range ( 10.10.10.0/24 ) and serperate Vlan , else my network get really fast overloaded

i do not want that other users got access to my switch or ilo , so they are on a local ip ( 10.0.0.0/24 ) and serperate Vlan

at this poiint everything works like i need to have it
but for protection i want to have a firewall betwean it
port forwarding to a single node does not going work , as the vps servers freely move betwean nodes ( High Avaiblity/Fail Over )

so if i can set it up that a public ip can be used , then it does not mather where the vps is located as it will always be able to communicate to the internet

and then the firewall is just a transparant firewall that does block attacks , but nothing else

but before i can place a hardware firewall do i need to make sure it works
else i am totaly locked out of my network, and that is what i try to prevent

maybe i make things to complicated ? but this is what i try to archive
and if the firewall contains a vpn , then i like to also use that to access my other vlans ( need then 2 ports to connect to the switch as it are differend vlans )

or is there a other way to get the setup i have ? or a easyer way to do this ?

Greets from PowerChaos