Current Situation
Hello there,
currently I have the following system running:
- A pfSense Firewall/Router with a dynamic public IP address and NAT on port
80into my DMZ network. It also has dynDNS configured forprivate-ip.example.com. - A web server inside my DMZ which serves my website.
- A Debian VPS in the cloud, with the IP
1.1.1.1. It is running Nginx as reverse proxy, which forwards everything coming into port80to private-ip.example.com. - The domain
example.compointing to1.1.1.1.
With this system in place, I can host everything at home without anyone knowing, because they only see the Debian VPS and the IP 1.1.1.1. Furthermore if someone will decide to attack example.com with DDOS, they just will kill the VPS and the rest of my private network will work just fine.
The Problems
This system is running multiple servers of all kinds (not only web, but also applications) for over a year now without any major issues, but it's not exactly how I want it. The firewall and everything inside the DMZ can only see traffic coming from 1.1.1.1 and don't know anything about the clients that are actually requesting something. Furthermore if a server from my DMZ wants to connect to another server in the internet, it uses the pfSense Router IP and not 1.1.1.1.
I also can't use IPv6, because my pfSense doesn't get one from the ISP.
I searched the web for solutions, asked system administrators (work colleagues) but didn't find anything that worked as I'd like it to.
Solution Ideas
My idea was, that I build up a VPN connection from my pfSense to the VPS and and set it as the gateway for the DMZ. With this solution everything sent from the DMZ will be routed through 1.1.1.1, so the other side will see that IP.
This would only solve half of the problem, so I need some kind of NAT from the VPS to my pfSense, so that everything incoming from the internet to specific ports on the VPS will be routed (through the VPN) to my pfSense, wich will also NAT the request to the DMZ.
With this solution the servers inside the DMZ would see the client IP and the client would see the answer coming from 1.1.1.1.
The problem is, that I don't know any keywords or how to find anything that could accomplish the things I described, so I don't know what I should Google.
The Questions
- Are there names/keywords for any solutions for my problems, so I can inform myself?
- Is there a better system, that can accomplish similar tasks?
- Which software could solve one or many problems?
Thank you for reading this post and thanks in advance for your response. :)
11 Answer
This would only solve half of the problem, so I need some kind of NAT from the VPS to my pfSense, so that everything incoming from the internet to specific ports on the VPS will be routed (through the VPN) to my pfSense, wich will also NAT the request to the DMZ.
That's just the regular kind of NAT (DNAT), the same as you're already using on pfSense for port 80. On Linux it can be implemented through nftables or iptables.
However, it would be better if you didn't NAT to pfSense, but directly to the DMZ web server. There is no need for NAT if you control all hops and can configure the correct routes; i.e. once the pfSense↔Debian VPN is established, the Debian VPS can be taught a route to the DMZ prefix via pfSense (through the VPN). (This doesn't have a specific name, it is standard IP routing.)
(You would still need one layer of NAT, but only at the edge, i.e. on the Debian cloud VPS.)
