Score:0

Re-route all internet traffic through firewall

cn flag

I'm setting up a dual firewall setup with a DMZ and an internal network. The servers are dedicated root servers running Debain Bullseye, all necessarily having a NIC with a public IP. In addition, servers in the DMZ have a second NIC going to a switch.

Another dedicated root server is setup as firewall (pfSense), attached to the same switch. Now I want to route all incoming traffic from each dedicated root server through this firewall by routing all traffic from the public NICs through the second NIC, then through the firewall and back.

I'm struggling with the Debian network interface configuration. Could you provide me an example config how such re-routing should be done?

UPDATE

This is my bare config at the moment (IPs are fake of course). How should I change the config in order to use the pfSense server as a gateway as suggested?

auto lo
iface lo inet loopback
iface lo inet6 loopback

auto enp8s0
iface enp8s0 inet static
  address 99.23.95.122
  netmask 255.255.255.192
  gateway 99.23.95.1
  # route 99.23.95.3/26 via 99.23.95.1
  up route add -net 99.23.95.3 netmask 255.255.255.192 gw 99.23.95.1 dev enp8s0

auto enp1s0
iface enp1s0 inet static
        address  10.22.0.2/24
#        gateway  10.22.0.1
        pointopoint 10.22.0.1
        up sysctl -w net.ipv4.ip_forward=1
        up route add -net 10.22.0.0/24 gw 10.22.0.1 dev enp1s0

UPDATE 2

My network is as follows:

  • 10GB Switch with 2 VLANs for internal network and DMZ
  • External Firewall server running pfSense
  • Internal firewall server running OPNsense
  • 2 servers in the DMZ, each having 2 NICs: one with public IP directly connected to the provider, one private NIC connected via the Switch to same VLAN as the external firewall
  • Similar setup for internal network: dedicated VLAN, two NICS. Only way to get into the internal network is via VON forwarded from external firewall to internal Firewall with VPN server on on it.

Thus what I want to achieve is to forward all incoming traffic from the two servers in the DMZ to the external firewall, before any service on the server gets it. For example, how can I configure incoming traffic to be forwarded to the internal NIC then to the firewall where it‘s filtered, and back?

UPDATE 3

Infratsucture ovierview:

Infrastructure overview

djdomi avatar
za flag
the pfsense has to be set as gateway, but remember that the question is in here if this is a public hoster that denies such setup or are you running your own steel?
cn flag
This should be possible. I'll update the question with a current bare config.
djdomi avatar
za flag
you still hide your network. why are you dont explaining your network situation?
vidarlo avatar
ar flag
Can you provide a drawing of desired traffic flow and physical connections?
cn flag
@vidarlo I've added an infrastructure overview. As you can see, servers e1 and e2 in the DMZ have a public IP and in order to use the IPs they must use the root server company's gateway. What I want is traffic coming from the public WAN NIC to be forwarded to the firewall server (e0). e0 has three NICs: one public WAN, one to the DMZ VLAN and one crossover to the internal firewall.
vidarlo avatar
ar flag
I don't entirely grok your problem. Does the servers in DMZ have an *additional* interface towards the public Internet? Or do you have a public subnet routed towards you? If you have additional interfaces on the servers facing internet, the solution is probably to *move* those interfaces to your pfsense box, and NAT/forward traffic from there.
cn flag
Servers in the DMZ have each a dedicated WAN interface and public IP on it. The dedicated root servers are managed over this WAN interface, e.g. they can be reset or rescued or managed from the management console of the hosting service. This cannot be changed, thus my idea to forward traffic from the WAN interface to internal and from there to the firewall and back.
Peter Zhabin avatar
cn flag
First off, if you have a firewall, the proper method of accessing anything behind it would be through the public firewall interface (that is it's public IP). Any host with a public network interface behind a firewall creates a backdoor that could be exploited. I think you assume that forwarding traffic from these interfaces to the firewall via internal net may solve this issue; however it just gets unauthorized traffic on the internal net. I.e. your current setup with routing enabled allows anyone on the same public subnet to forward traffic to your internal net via routing..
cn flag
@PeterZhabin Thank you very much for this comment. This guided me to the probably right direction: I've requested an additional IP for the external firewall and will forward it from there to the server in the DMZ.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.