The final step for the internal network is enabling access to the DMZ network from external devices by changing the Firewall and DNS configuration. This involves configuring port forwarding to route external traffic to the appropriate internal devices. I also need to change the DNS configuration to route the traffic for the domain correctly. First step, port forwarding in pfsense.
Prerequisite: Installing a Network Firewall
Firewall Configuration in pfsense
To route external traffic to internal devices, we will configure port forwarding. This routes external traffic destined to certain ports, like port 443 for HTTPS, to the appropriate internal server in the DMZ. Within pfsense, we go to NAT settings, and port forward. The image below shows an example configuration to route inbound HTTP traffic on the WAN interface to my DMZ host 10.10.1.12.
For my lab, I also added rules for DNS, SMTP, and HTTPS.
Due to my lab’s configuration using all private IP addresses and having a private IP on the WAN interface for the lab, I also had to remove the reserved network block.
To test the configuration, I used my external Kali machine to run an Nmap scan of port 80 and 443 of my firewall.
Configure DNS for External Access
The next step is to configure the simulated external DNS to route traffic to my lab network from the external network. I added an A record to the external Pihole.
I also need an A record for the email server.
Next, I need to create an MX record. For dnsmasq, this requires a custom configuration file.
# touch /etc/dnsmasq.d/99-mail.conf
# pihole restartdns
To check that the MX record is working, I use nslookup on the external Kali machine.
Now that the configuration is complete, I run a few Nmap scans to check that the ports are forwarded to the correct internal devices, and that I can scan by domain name.
With that, my Firewall and DNS configuration is complete and my lab is accessible from the simulated external network devices.