routing with DMZ between internal and external firewall

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

routing with DMZ between internal and external firewall

Volker Nowarra-2
Hi,

I have a question concerning static routes and default gateways for a
DMZ setup, with internal and external firewall.
A DNS in the DMZ shall be used from internal machines, and later a http
proxy from internal and external machines.
The setup is within a network of a bigger data centre with it's own edge
router. I cannot change anything on this edge router.
I am using OpenBSD 6.6, and ip forwarding is activated on both firewalls.
Here an ASCII pic (for better viewing also here:
https://ln2.sync.com/dl/9da92f730/wrzi9rse-xh9sqzed-cst55auv-y39rkrwj):

|--------|   |---------|       |---------| /-------------\
| int_pc |---| int_fw  |-------| ext_fw  |---| Data Center |---> Internet
|--------|   |em0   em1|   |   |em0   em1|   | Edge Router |
              |---------|   |   |---------| \-------------/
                            |
                     |------------|
                     | DNS & http |
                     |------------|

Setup of default routes:
   int_pc  -> IP address of em0 on int_fw
   int_fw  -> IP address of em0 on ext_fw
   DNS     -> IP address of em0 on ext_fw
   ext_fw  -> IP address of external interface

Without any firewall rules (pfctl -d), I observe:

  1.) I cannot ping from int_pc to DNS, and vice versa.
  2.) I cannot ping from int_pc to em0 on ext_fw

I can observe with tcpdump, that ping echo request leaves int_pc, goes
through int_fw and reaches the network card of DNS or em0 on ext_fw. As
the default route of DNS is pointing to ext_fw, the ping echo reply is
sent to ext_fw, which doesn't know what to do with the IP address of
int_pc, and ignores the package. I get this.
So I can set a static route on the DNS or on the external firewall, like
this

   route add -inet {network of int_pc} {IP address of em1 on int_fw}

and then pinging back and forth works.
But setting static routes on all DMZ machines and ext_fw seems doesn't
seem right to me(?).

What would be the correct design?
Can I use "only" the ext_fw with a static route, so that packages from
DNS would travel twice through DMZ net (from DNS to ext_fw, and then
from ext_fw via int_fw back to int_pc)?

The information I found on misc@ and internet is usually talking about
"home router" with NAT and three network cards, where one leg supplies
the DMZ... Mine is different, and I think I do not need NAT here?

thx

Reply | Threaded
Open this post in threaded view
|

Re: routing with DMZ between internal and external firewall

Claudio Jeker
On Mon, Mar 16, 2020 at 09:49:30AM +0100, pebwindkraft wrote:

> Hi,
>
> I have a question concerning static routes and default gateways for a DMZ
> setup, with internal and external firewall.
> A DNS in the DMZ shall be used from internal machines, and later a http
> proxy from internal and external machines.
> The setup is within a network of a bigger data centre with it's own edge
> router. I cannot change anything on this edge router.
> I am using OpenBSD 6.6, and ip forwarding is activated on both firewalls.
> Here an ASCII pic (for better viewing also here:
> https://ln2.sync.com/dl/9da92f730/wrzi9rse-xh9sqzed-cst55auv-y39rkrwj):
>
> |--------|   |---------|       |---------| /-------------\
> | int_pc |---| int_fw  |-------| ext_fw  |---| Data Center |---> Internet
> |--------|   |em0   em1|   |   |em0   em1|   | Edge Router |
>              |---------|   |   |---------| \-------------/
>                            |
>                     |------------|
>                     | DNS & http |
>                     |------------|
>
> Setup of default routes:
>   int_pc  -> IP address of em0 on int_fw
>   int_fw  -> IP address of em0 on ext_fw
>   DNS     -> IP address of em0 on ext_fw
>   ext_fw  -> IP address of external interface
>
> Without any firewall rules (pfctl -d), I observe:
>
>  1.) I cannot ping from int_pc to DNS, and vice versa.
>  2.) I cannot ping from int_pc to em0 on ext_fw
>
> I can observe with tcpdump, that ping echo request leaves int_pc, goes
> through int_fw and reaches the network card of DNS or em0 on ext_fw. As the
> default route of DNS is pointing to ext_fw, the ping echo reply is sent to
> ext_fw, which doesn't know what to do with the IP address of int_pc, and
> ignores the package. I get this.
> So I can set a static route on the DNS or on the external firewall, like
> this
>
>   route add -inet {network of int_pc} {IP address of em1 on int_fw}
>
> and then pinging back and forth works.
> But setting static routes on all DMZ machines and ext_fw seems doesn't seem
> right to me(?).
>
> What would be the correct design?
> Can I use "only" the ext_fw with a static route, so that packages from DNS
> would travel twice through DMZ net (from DNS to ext_fw, and then from ext_fw
> via int_fw back to int_pc)?
>
> The information I found on misc@ and internet is usually talking about "home
> router" with NAT and three network cards, where one leg supplies the DMZ...
> Mine is different, and I think I do not need NAT here?
>

You need to add routes for your internal network on ext_fw and on the DNS
box. They need to know that those networks are reachable via int_fw. These
routes are more specific and will make sure that the traffic has a path
back to int_pc.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: routing with DMZ between internal and external firewall

Marko Cupać
In reply to this post by Volker Nowarra-2
On Mon, 16 Mar 2020 09:49:30 +0100
pebwindkraft <[hidden email]> wrote:

> Hi,
>
> I have a question concerning static routes and default gateways for a
> DMZ setup, with internal and external firewall.
> ...
> What would be the correct design?
> Can I use "only" the ext_fw with a static route, so that packages
> from DNS would travel twice through DMZ net (from DNS to ext_fw, and
> then from ext_fw via int_fw back to int_pc)?
>
> The information I found on misc@ and internet is usually talking
> about "home router" with NAT and three network cards, where one leg
> supplies the DMZ... Mine is different, and I think I do not need NAT
> here?

Hi,

I have similar setup. Being on public IP space, I treat my DMZ as
"Internet", meaning private IP addresses, either from Internet or
from internal network, must not be able to contact it.

So, I NAT everything from internal network to DMZ, which results in DNS
& http seing requestes from em1, and not from internal network.

Should you need more information don't hesitate to ask.

Regards,

--
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/