DMZ Firewall settings

koelscha · January 20, 2025, 1:10pm

Hi,
With more and more devices and services joining my network, I decided it's time to segment it into functional groups with different firewall zones. One thing that I am struggling with at the moment is the setup of a DMZ for services accessible from the WAN.

What I did before was to just use Port Forwards to my services which all resided in the LAN Zone. Now, I set up a DMZ Zone where I put for example my nginx reverse proxy. Now, I can access my web server from the WAN, but access from the LAN does not work. If I understand correctly, access from the LAN tries to open my web server on the router and does not forward to the DMZ. Here's an excerpt of the relevant firewall settings:

Could you please help me with the configuration? I don't see what I am doing wrong..

koelscha · January 20, 2025, 4:25pm

I found that if I set the Destination Zone in the Port Forward to LAN, I can access the webserver both from LAN and WAN. This does not make any sense to me, because the webserver is not even in the LAN Zone. How can it be accessed?!

The problem with this config is that from the Webserver I cannot access other services in the DMZ Zone. I run a dashboard which would need access to these services

trendy · January 20, 2025, 8:46pm

The reason is the underlying rules that are created in nftables to allow the forwarding and are not working as you would expect when the traffic is not coming from the proper zone.
Some suggestions:

Use the IP of the webserver.
Use the internal hostname of the server.
Create a hostname for the ddns name of the wan to the internal IP of the webserver. Use this with caution as it may interfere with the ddns updates.
Create the necessary SNAT rule when traffic from lan used the wan interface IP.

koelscha · January 20, 2025, 10:27pm

Thanks for your reply. Option 1 and 2 are not viable in this case, as this would always show SSL warnings. Option 3 unfortunately does not work either, as I'm using a reverse proxy with multiple hosts, also on non-http ports.

Could you please explain what I would have to do in your 4th suggestion?

trendy · January 21, 2025, 1:30am

In the advanced settings of the port forward rule enable NAT loopback.
In the reflection zones choose lan zone.

koelscha · January 21, 2025, 9:26am

Thanks, that helped a lot! It still created a problem that did not exist when I just put everything in the LAN zone. I have a paperless instance that is configured in the reverse proxy to only allow connections from 192.168.0.0/16. In my homepage dashboard, the paperless widget does not work with the loopback. Even though I set the loopback source IP to the internal address, I get an access error showing the external IP.

However, I could solve that by changing the dashboard widget config from the domain paperless.mydomain to the internal paperless IP which I now also moved to the DMZ.

system · January 31, 2025, 9:27am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.