pfSense 1:1 NAT sanity check

So I have a domain, and my IPS is cool with self-hosting. I did some self hosting on a Pi years ago on an Asus router, the port forwarding was fairly strait forward (likely at the cost of security). Now that I’m on pfSense I reading a lot of different tutorials that are not giving me confidence.

Setup is
WAN public IP

DMZ has it’s own interface, the Ubuntu server that will run the site is on this interface- currently has any/any for convenience while I work on it from my NAT and call for packages, but have an alias setup for the ports that will need to work when I start to lock down the firewall

1:1 has:
interface (WAN), External IP (my ISP IP given to me), internal IP (the Ubuntu server on DMZ interface), Destination IP (DMZ).

Any advice on the 1:1 NAT settings (WAN, DMZ), aliases etc is appreciated, and I’m curious on things like if I have firewall rules on the DMZ, with 1:1 NAT are those now null (except for DMZ to rules) and the rules need to be on the WAN interface?

I updated my domain provider’s A, MX etc pointing to my public IP, and have UFW 80 and 443 open on the Ubuntu server but when I put in my domain name I get a pfsense page with, “Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding
Try accessing the router by IP address instead of by hostname.” and when I try to setup lets encrypt on the Ubuntu server I get a time out when its trying to verify.

Destination address should probably be set to any. And you will need to make firewall rules on the wan interface to allow the traffic to the server ip,
Assuming 1:1 works in a similar way to a normal port forward.

2 Likes

To pat myself on the back I figured out to put destination to any, but you saved my bacon on the WAN firewall rule. Referred to my OpenVPN one to make one for the DMZ machine IP, now on my LTE I get my apache test page. Dexter, seriously you make this forum more helpful than pfSense’s very own forum. Now disabling my DMZ any/any, re-enable blocking DMZ to LAN and the port alias rule in play.

1 Like

Well I gotta be good at something

1 Like

Just a query since I haven’t used PFSense yet.

From what I read the DMZ is allocated to an interface right? Is it effectively a separate subnet on a physical interface that is designated as the destination for incoming WAN traffic, but retaining it’s own NAT firewall configuration?

If so this would explain why you would need to change the WAN firewall rules.

In this case using 1:1 NAT you’re taking all incoming traffic to the WAN address and forwarding it to an internal address, it could be on LAN or any other interface. This is what the ‘DMZ’ option on a consumer router usually does but it’s not really what DMZ means.

Essentially what you’re doing is making a port forward rule for every port. But NAT rules, wether port forward or 1:1 do not affect the firewall rules. so you still need to allow traffic entering the WAN interface to go to wherever you are redirecting the traffic. Conversely firewall rules on the WAN interface will not effect NAT, so you need to configure both.

Great, thanks very much for clearing that up :slight_smile:

A DMZ network is about trust more than any technical difference. The idea is you place all of your internet facing servers in a DMZ network which is firewalled from the rest of your network. Because even though the servers are local, because they are internet facing they are treated more like anything else on the internet than a local machine.

So the idea is you have a firewall hierarchy with your most trusted networks at the bottom and the least trusted at the top, so in a simple example your have LAN > DMZ > WAN. Traffic can more freely from the bottom to the top, so LAN and DMZ can both access the internet, and LAN can access the DMZ. But traffic entering from the internet can only go to the DMZ and never the LAN. This keeps the trusted network isolated from incoming traffic from the internet and protects the trusted networks from attacks if one of the internet facing servers becomes compromised.

3 Likes

That’s a great explanation, cheers :smiley:

1 Like