My home based virtualized network
was setup using Virtualbox to simulate a boxed in DMZ within a normal LAN. There are many discussions about best practices or why or why not you shouldn't host services at home, but for me, this was something I was building when I wasn't satisfied with the cloud services offered online. Today, I consider those services adequate, which I why I use Weebly and Wordpress so my Virtual LAN server is actually used a LAB to hack or experiment with software. However, I felt I would write this up the details before I took it offline. The pictures below are all running Opera Unite, WordPress, and MySQL in what I call Azcrumpty's Wonderblog
pfSense NAT Rules
Firewall NAT Rules show mappings for external to internal NAT of HTTP
, and SSH
services. These rules enable full access to my actual ISP assigned address. Remember that I originally designed this to enable access to WWW services at home. So, access to SSH, HTTP, and HTTPS all go into tier 1. Tier 1 is multihomed, so to speak. You can get in from my ISP address and run Apache for HTTP or Webmin for HTTPS or you can get into tier 1 from Opera Unite
. This is a nice feature because I can use my IP address for personal use and use Opera Unite's address for public consumption. Opera Unite enable's me to hide my personal IP address, and not publicy expose my network the way a dynamic DNS address does.
pfSese WAN Interface Rules
The WAN interface shows access from all hosts to the WAN services HTTP,HTTPS, and SSH from top to bottom. The next line allows OpenVPN
from the internal network The final line allows full access from the VPN to all hosts in the network.
pfSene LAN as Tier 1
The First two rules deny access to the local home network and the cable modem. The next line denies access to all hosts on the OpenVPN network. The next rules allow the tier 1 LAN
access to the LAN proxy port 3128, acess to the LAN DNS
, and access to the LAN NTP server
. The next two lines enable tier 1 to tier 2 HTTP/HTTPS access so the Opera Unite reverse proxy can talk to the Apache server coupled with Wordpress. The final rule allows ALL outbound except the 192.168 Class B which allows the Opera Unite browser to connect wherever it wants because I didn't feel like trying to white-list everthing the browser needed access to. This rule would not be there if I used a typical reverse proxy such as Squid or Apache's mod_proxy and the ISP assigned address.
pfSense OPT1 LAN as WordPress Tier 2
Tier 2 LAN uses a similar design, denying access to the local LAN and cable modem, enabling supporting services for the servers within tier 2. The second to last line enables MySQL
access to tier 3 so Wordpress can reach its database. The last line enables rsync access via SSH to tier 1 because Opera Unite insists on serving static content locally from the computer that runs Opera Unite. I could have also opened NFS from tier 1 to tier 2 and mounted the document root of the server as read only in tier 1, allowing Opera Unite to see the static content.
pfSense OPT2 LAN as MySQL Tier 3
Tier 3 LAN uses the same settings as the other tiers.
pfSense DNS forwarder with static assignments
I like to provide DNS for hostnames on the LAN. DNS makes troubleshooting easier as network dumps and log files can be made to show host names which makes determining where the data flows much easier to understand.
I could have also selected Register DHCP leases in DNS forwarder in the picture and I would not have to define the list of static names below. And of course, servers are supposed to use static assignments in the real world, so you can set DHCP off in your DMZ
pfSense static DNS assignments example
I use static DNS assignments but DHCP name registration would also work.
pfSense serves NTP to the DMZ
Serve NTP to all servers in DMZ to keep clocks in sync. Some might want to enable NTP access among the tiers so all servers can participate in time synchronization. I only use the pfSense server in this example.
pfSense Transparent Proxy for OPT1 and OPT2
The pfSense proxy serves tier 2 and tier 3 using the transparent proxy option. I didn't have to set the proxy settings on tier 2 and tier 3 at the application level. Tier 1 doesn't force the proxy to support Opera Unite's needs. My pre-Opera Unite design forced the proxy on tier 1, but this was opened to support Opera Unite, which didn't work correctly when using the proxy.
pfSense proxy blacklist setting for local LAN
Squid blacklists the local LAN 192.168.1.0/24, otherwise the proxy would enable the DMZ access to the home network.
OpenVPN Subnet in pfSense
settings shown in the picture. Download the keys
and the pfsense config file
for this article.
pfSense running proxy, squid, DNSmasq, and NTP services
The services supporting the DMZ are enabled and shown in the picture. Proxy via SQUID, dns forwarder, NTP server, and DHCP are all used for supporting the DMZ hosts.
pfSense Traffic Graphs for DMZ
DNS Entries Make Logs Easy to Read