0

My first question in this community. Sorry for the basic question, answers are in several posts but I need to put them all together.

I have bought a Google domain, and using cloudfare as the DNS Provider. I have created a A record in cloudfare that points to the IP address given by my ISP provider. So far so good.

What I'm expecting now is :

  • All internet HTTPS connections to be sent to the firewall PFSense. PFSense has 2 network cards : one for WAN (DHCP enable) and another one for LAN (static IP)
  • PFSense to be the default DHCP server and no longer use the ISP DHCP functionality
  • PFSense will reject all connections that are not coming from Cloudfare servers or are not HTTPS requests
  • PFSense will forward the HTTPS requests to the reverse proxy Traefik
  • Traefik finally will forward the request to the right service (sub-domain).
  • Moreover, I'd like to set Pihole as the dynamic DNS in PFSense to benefit from its advertisment filtering functionnality.

Please note that all these machines are VMs managed by proxmox. All are fixed IP address

But now I want to make sure that the following steps are correct to build what I want:

1- Should I need to open 443 port (NAT) in the ISP router and forward it to PFSense IP address ? My ISP Router as a "DMZ" functionality that basically forward all request to the device(s) that are listed in this DMZ. So I guess that on top of NAT, I need to add PFSense to this DMZ ?

2- How set the redirection in PFSense of all 443 HTTPS requests to he Traefik reverse proxy ? What kind of rule to apply ? Do I need to open port 443 on PFSense server also on WAN and LAN interfaces ? THis port is not clear in the docs or posts.

3- How the devices in my home network will discover the PFSense DHCP if I disable the DHCP server functionality in my ISP Router ?

Sorry if these questions are very basic, but this is quite difficult to put all information together when you are not a network guy. Thks

Improve this question
1
  • Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer.
    – Community Bot
    Commented Sep 23, 2022 at 9:55

1 Answer 1

Reset to default
0

1- Should I need to open 443 port (NAT) in the ISP router and forward it to PFSense IP address ? My ISP Router as a "DMZ" functionality that basically forward all request to the device(s) that are listed in this DMZ. So I guess that on top of NAT, I need to add PFSense to this DMZ ?

Both achieve the same thing, one is just more specific than the other. "DMZ" in most home routers is nothing more than the same NAT, only applied to all protocols and all ports (i.e. it's the final NAT rule that matches everything not otherwise NATed by any "port forward" rules.)

(I'd slightly prefer a different approach – if the ISP router has the "static routing" config available, teach it a route to the pfSense subnet and then NAT stuff directly to VMs.)

2- How set the redirection in PFSense of all 443 HTTPS requests to he Traefik reverse proxy ? What kind of rule to apply ? Do I need to open port 443 on PFSense server also on WAN and LAN interfaces ? THis port is not clear in the docs or posts.

If the ISP router is NATing everything to pfSense, but Traefik is running on a different system (a Proxmox VM), then you do the same thing that you had to do in order to get the requests reach pfSense in the first place: set up a NAT rule redirecting the packets to the Traefik host. (It'll be under the "Port forward" tab in pfSense.)

You will also need a filter rule allowing the traffic in general, but pfSense has an option to add it automatically when creating the NAT rule. By default, pfSense firewall rules are stateful so only the ingress interface needs to allow the traffic (if the requests are arriving through the "WAN" interface, then the filter rule needs to be assigned to "WAN") while responses will automatically be allowed without a rule.

If Traefik is running directly on the pfSense host, then you don't need NAT (it's the same system anyway), just a filter rule.

3- How the devices in my home network will discover the PFSense DHCP if I disable the DHCP server functionality in my ISP Router ?

The same way they find the ISP Router's DHCP functionality now: they literally broadcast a "DHCPDISCOVER" UDP packet across the entire subnet and wait for a DHCPOFFER to arrive from somewhere.

However, if your description is correct, then you don't need to disable DHCP on your ISP router because all your devices will physically be on a different subnet, so all DHCP discover packets will only reach as far as the pfSense machine (which is the router that separates the two subnets) – only pfSense itself will be able to use your ISP router's DHCP for its "WAN" interface, while anything connected to its "LAN" side won't know about the ISP router at all.

Improve this answer
3
  • thks a lot. Will apply this and check if this is ok
    – Jerome
    Commented Sep 24, 2022 at 15:53
  • well, got confused. The PFSense VM has 2 interfaces : WAN is DHCP and LAN is STATIC IP V4, as explained in several tutorials. The DHCP give an IP Address to WAN such as 192.168.1.76 whereas I set LAN to 192.168.1.20. I opened 443 in the FW rules for WAN interface. Then I tried to NAT my ISP Modem to the WAN IP address. Failed to access any service. I NAT my ISP to the LAN address and this "works" but of course the firewall is alerting there is something wrong. So finally, why the traffic doesn't seems to go to the WAN IP address ??
    – Jerome
    Commented Sep 24, 2022 at 16:33
  • Why does it sound like you're trying to use the same subnet numbering for two separate interfaces? Having the same 192.168.1.0/24 on both networks is wrong.
    – grawity_u1686
    Commented Sep 24, 2022 at 19:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .