Monday, January 1, 2018

networking - Dedicated IP for webserver through pfsense and a draytek 2860



We have a leased line which has 8 public IP addresses. This connects to our Draytek 2860 router.



From here we have an internal network which we use for our office computers and another network for our datacentre (which hosts a few customer servers).




We have installed a pfsense firewall which we'd like to use to manage NAT and routing for the datacentre



I would like to create a web server in our datacentre, behind the pfsense firewall on one of the free public static IP addresses I have been assigned. How do I configure this?



I'm thinking I should set up DMZ's for all the IP's I'd like to use within the datacentre on the draytek, then set it up as a 1:1 NAT on my pfsense, but not sure.



I need all outgoing traffic on my internal network, datacentre network and webserver to come from their own dedicated public IP addresses


Answer



You really shouldn't put a public-facing webserver behind even one NAT (a busy webserver is a really quick way to fill up the NAT connections table).




If you're using the Draytek in NAT mode rather than Routing mode, its DMZ feature is really a 1:1 NAT mapping from one of your public IP addresses to a specific internal IP address.



I don't have enough detail of your specific requirements, but assuming a technical solution would be acceptable this is possibly how I would approach the problem.



               +---------+       +---------+       +------------+
               |         | <===> | pfSense | <===> | Datacentre |
               |         |       +---------+       +------------+
               #         |
Internet <===> # Draytek |       +----------------+

               #         | <===> |                |
               |         | <===> | Office network |
               |         | <===> |                |
               +---------+       +----------------+


I've used # to denote the NAT boundary.




  1. Set up a separate LAN on the Draytek for the Datacentre.


  2. Use the pfSense firewall in Routing or Transparent mode rather than NAT (I'm not familiar with pfSense specifically, but I assume this is possible).

  3. Have the Draytek manage routing between the Datacentre and Office network, using its internal firewall as appropriate.

  4. Punch as many of the public IPs as necessary through to the Datacentre LAN, either with specific Port Forwarding or as a DMZ host.





If I've misinterpreted your network topology, please do update your question with a suitable schematic. For example, you might mean your leased line terminates on the Draytek and on pfSense, so they're "side by side". But I didn't think that's what you meant.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...