SRX Services Gateway
Highlighted
SRX Services Gateway

Creating a DMZ setup

‎09-25-2018 09:53 AM

I have a simple consumer grade ADSL router that has a DMZ configured to a local ip of 192.168.1.1 . At this address sits the WAN interface of an OPNsense box. This is configured as an end point for VPN tunnels with traffic being passed to servers on the LAN. Outbound traffic from the LAN is unrestricted and is required for fetching updates, some browsing etc.

 

I want to replace the aforementioned ADSL router with an SRX320. How do I re-create the above i.e. create a DMZ-like setup that allows traffic to flow in and out as described above?

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: Creating a DMZ setup

‎09-25-2018 10:33 AM

You would need to do a destination NAT for the OPNsense box.  Depending on how many public IPs you have will depend on how this is done, and also what type of traffic OPNsense uses (SSL VPN vs IPSec VPN).  As for the outbound LAN traffic, you would need to set up a source NAT to NAT the traffic outbound.  Of course, you would also need security policies for each of these setups.

Highlighted
SRX Services Gateway

Re: Creating a DMZ setup

[ Edited ]
‎09-25-2018 11:56 AM

To be frank I don't 'need' a full dmz-like setup. Here's some of the finer detail (i.e. what I need to achieve):-

 

The OPNsense box terminates 3x SSL tunnels using UDP ports 1194, 1195, 1196 respectively. This using 1 public IP only.

 

As an aside, whilst I can browse the internet from the LAN side of the OPNsense box, I cannot ping anything on the internet.  Why might this be? Tracert to websites complete OK. 

Highlighted
SRX Services Gateway

Re: Creating a DMZ setup

‎09-25-2018 03:39 PM

There could be many reasons for that.

 

As for the VPNs, you would just need to do a destination NAT for those UDP ports to forward the traffic to your OPNsense box.

 

set security nat destination pool OPNsense address 192.168.1.x/32
set security nat destination rule-set dst-nat from zone untrust
set security nat destination rule-set dst-nat rule OPNsense match destination-address 1.1.1.1/32
set security nat destination rule-set dst-nat rule OPNsense match destination-port 1194 to 1196

set security nat destination rule-set dst-nat rule OPNsense match protocol udp
set security nat destination rule-set dst-nat rule OPNsense then destination-nat pool OPNsense

 

You would then need to have a source NAT for outbound traffic that originates on the LAN (including OPNsense).

 

set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

 

And security policies for both directions as well.

 

Configure address book:

set security address-book trust address OPNsense 192.168.1.x/32

 

Define custom application:

set applications application OPNsense-custom-application protocol udp
set applications application OPNsense-custom-application source-port 0-65535
set applications application OPNsense-custom-application destination-port 1194-1196

 

Set inbound policy:

set security policies from-zone untrust to-zone trust policy OPNsense match source-address any
set security policies from-zone untrust to-zone trust policy OPNsense match destination-address OPNsense
set security policies from-zone untrust to-zone trust policy OPNsense match application OPNsense-custom-services

set security policies from-zone untrust to-zone trust policy OPNsense then permit

 

And outbound policy:

set security policies from-zone trust to-zone untrust policy any-policy match source-address any
set security policies from-zone trust to-zone untrust policy any-policy match destination-address any
set security policies from-zone trust to-zone untrust policy any-policy match application any

set security policies from-zone trust to-zone untrust policy any-policy then permit

Feedback