Merge branch 'mike/lab_part_4' into 'master'

Lab part 4: Configuring pfSense See merge request !2

Merge branch 'mike/lab_part_4' into 'master'
Lab part 4: Configuring pfSense See merge request !2
69a7f240 · Mike Jones · 62c417cf · c8d2cd5c · 69a7f240 · 69a7f240
Commit 69a7f240 authored Jan 19, 2020 by Mike Jones 🌶
5 changed files
--- a/content/posts/2019/02/13/configuring_proxmox.md
+++ b/content/posts/2019/02/13/configuring_proxmox.md
@@ -13,6 +13,7 @@ description: |
 * [Part 1 (Introduction, OVH configuration.)](/posts/2019/02/13/remote_proxmox_lab_intro/)
 * [Part 2 (Configuring Proxmox. You're here!)](#)
 * [Part 3 (Installing pfSense.)](/posts/2019/02/17/installing_pfsense/)
+* [Part 4 (Configuring pfSense.)](/posts/2020/01/11/configuring_pfsense)

 Now, we'll need to install Proxmox on the server. I won't cover the basic
 installation in this post, but I am using Proxmox VE 5, which is available as a

--- a/content/posts/2019/02/13/remote_proxmox_lab_intro.md
+++ b/content/posts/2019/02/13/remote_proxmox_lab_intro.md
@@ -12,6 +12,7 @@ description: |
 * [Part 1 (Introduction, OVH configuration. You're here!)](#)
 * [Part 2 (Configuring Proxmox.)](/posts/2019/02/13/configuring_proxmox/)
 * [Part 3 (Installing pfSense.)](/posts/2019/02/17/installing_pfsense/)
+* [Part 4 (Configuring pfSense.)](/posts/2020/01/11/configuring_pfsense)

 ## Overview


--- a/content/posts/2019/02/17/installing_pfsense.md
+++ b/content/posts/2019/02/17/installing_pfsense.md
@@ -12,6 +12,7 @@ description: |
 * [Part 1 (Introduction, OVH configuration.)](/posts/2019/02/13/remote_proxmox_lab_intro/)
 * [Part 2 (Configuring Proxmox.)](/posts/2019/02/13/configuring_proxmox/)
 * [Part 3 (Installing pfSense. You're here!)](#)
+* [Part 4 (Configuring pfSense.)](/posts/2020/01/11/configuring_pfsense)

 ## First boot


--- a/content/posts/2020/01/11/configuring_pfsense.md
+++ b/content/posts/2020/01/11/configuring_pfsense.md
+---
+title: "Remote Lab, Part 4: Configuring pfSense"
+date: 2020-01-11T12:29:20
+draft: false
+type: post
+authors: [ 'Mike Jones' ]
+tags: [ 'Remote Lab', 'OVH', 'Networking', 'pfSense']
+description: |
+    Part 4: Configuring NAT and firewall rules in pfSense.
+---
+
+* [Part 1 (Introduction, OVH configuration.)](/posts/2019/02/13/remote_proxmox_lab_intro/)
+* [Part 2 (Configuring Proxmox.)](/posts/2019/02/13/configuring_proxmox/)
+* [Part 3 (Installing pfSense.)](/posts/2019/02/17/installing_pfsense/)
+* [Part 4 (Configuring pfSense. You're here!)](#)
+
+Finally, we need to forward traffic from the WAN to internal VMs.
+
+## Connecting a virtual machine to the router
+
+Firstly, a new Proxmox virtual machine must be created. Ensure its network device
+is set to `vmbr2` (which is configured as the OPT1 device in pfSense).
+
+## Setting up virtual IP addresses
+
+Virtual IPs are required for NAT. [Here is pfSense's official documentation](https://docs.netgate.com/pfsense/en/latest/book/firewall/virtual-ip-addresses.html).
+
+1. From the "Firewall" menu, select "Virtual IPs".
+2. Add two new virtual IPs with the following settings:
+    1. The internal IP address:
+        - Type: "Proxy ARP"
+        - Interface: "OPT1"
+        - Address type: "Network"
+        - Address(es): "10.5.4.2" / "32" (single IPv4 address)
+        - Description: Not parsed
+    2. The external IP address:
+        - Type: "Proxy ARP"
+        - Interface: "WAN"
+        - Address type: "Network"
+        - Address(es): "5.39.60.71" / "32" (single IPv4 address)
+        - Description: Not parsed
+
+## Configuring 1:1 NAT
+
+Next, we will bind all traffic for the external IP to an internal IP address.
+
+1. From the "Firewall" menu, select "NAT", and then "1:1".
+2. Add a new rule:
+    - Interface: "WAN"
+    - External subnet IP: "5.39.60.71"
+    - Internal IP: "Single host" "10.5.4.2"
+    - Destination: "Any"
+    - Description: Not parsed
+
+This forwards all traffic sent to the external IP address (5.39.60.71) to the
+internal VM (10.5.4.2).
+
+## Firewall rules to permit traffic to the servers
+
+For this example, the VM installed requires HTTP and HTTPS traffic to be allowed
+to the VM, so we need two firewall rules on the WAN device.
+
+1. From the "Firewall" menu, select "Rules".
+2. Add two rules:
+    * HTTPS:
+        - Action: "Pass"
+        - Interface: "WAN"
+        - Address family: "IPv4"
+        - Protocol: "TCP"
+        - Source: "Any"
+        - Destination: "Single host or alias" "10.5.4.2"
+        - From: "443"
+        - To: "443"
+        - Description: Not parsed
+    * HTTP:
+        - Action: "Pass"
+        - Interface: "WAN"
+        - Address family: "IPv4"
+        - Protocol: "TCP"
+        - Source: "Any"
+        - Destination: "Single host or alias" "10.5.4.2"
+        - From: "80"
+        - To: "80"
+        - Description: Not parsed
+
+Further similar rules can be added for any other ports that need to be accessible
+from the WAN.
+
--- a/themes/netsplit/layouts/partials/head.html
+++ b/themes/netsplit/layouts/partials/head.html
@@ -2,7 +2,7 @@
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="{{ if .IsNode }}{{ with .Site.Params.description }}{{ . }}{{ end }}{{ else }}{{ with .Description }}{{ . }}{{ end }}{{ end }}">
-    {{.Hugo.Generator}}
+    {{ .Hugo.Generator }}

    <link href="https://fonts.googleapis.com/css?family=Merriweather%7CFira+Mono" rel="stylesheet">