Hello everyone,
I'm just not making any progress with my tests and need some help.
I want to make sure the settings are correct and that I have a secure firewall configuration.
First, the system setup:
I have a Fritzbox (router, modem, and firewall) with an internet connection.
IPv4 and IPv6 are enabled in the Fritzbox and provides "Router Advertisement" as well as a "DHCPv6 server" with IA_PD and IA_NA.
My home network has the IP range 172.28.0.0.
Now I want to run some Debian servers (which have access via port forwarding from the internet) in a DMZ. I want to do this for security reasons in case one of the servers were to be hacked. This would prevent the attacker from directly accessing the private network 172.28.0.0. In this example, the DMZ would be 10.90.0.0.
I need and want to keep the private network connected directly to the Fritz!Box, as countless SIP devices, etc., are connected there. It would be conceivable to separate the network, but as I said, I don't want to do that. My goal is to isolate only the externally accessible servers.
In my home network, I then run a Ubiquiti EdgeRouter with OpenWRT.
One "LAN" interface has the IP 172.28.0.19 on the home network side. Another "DMZ" interface has the IP 10.90.0.1 on the DMZ side.
To also be IPV6-capable, I configured DHCP as the master interface on the "LAN" interface (checked) with RA service, DHCPv6 service, and NDP proxy as "relay mode." On the "DMZ" interface, RA service, DHCPv6 service, and NDP proxy are set to "relay mode" so that the IPV6 addresses are passed from the Fritzbox to the DMZ, which works perfectly.
Everything is accessible from the DMZ, the LAN, and the internet. So far, so good.
The challenge now is the firewall. First of all, some port forwarding with IPV4 and IPV6 to the servers in the DMZ is already configured in the Fritzbox - and it works so far.
The goal of securing it with OpenWRT is:
The servers in the DMZ should not be able to access private IPV4 or private IPV6 areas in the home network. The "DMZ" can be accessed from the "LAN."
The challenge is: The "DMZ" can only access the internet via the "LAN" interface, since the data connection extends through the LAN.
The idea was to have traffic rules in the following order:
- The "DMZ" may not access the IP of the Access the Fritzbox (IPV4 and IPV6).
- The "DMZ" is not allowed to access IP address ranges like 172.28.0.0/24 or IPV6 private addresses (how to implement this?)
- The "DMZ" is allowed to access the "LAN" (IPV4 and IPV6)
If I now set the firewall default settings for Input, Output, and Forward to 'REJECT', as well as the zone settings for Input, Output, and Forward to 'REJECT', and only create traffic rules as mentioned above, I run into problems with IPV6 connections. This will probably stall the "Router Advertisement."
Does anyone have any idea how to configure OpenWRT for this purpose so that the DMZ works equally well for IPV4 and IPV6 within the home network, while simultaneously preventing access from the DMZ to the private network?
Thank you.