Using a Direct Internet Access Range (DIA) on Claranet VDC

Introduction

This document assumes the following:

  • You are using the pfSense firewall.
  • You are familiar with the Claranet VDC Platform.

Let’s imagine that you have been using the VDC platform for a while and have multiple virtual machines running in your account.

To gain access to your virtual machine you will either have:

  • Setup a jump box to proxy access
    • To access the virtual machines, you will first need to logon to the jump virtual machine (AKA a bastion host), and then logon to the destination virtual machine, this can be achieved for Windows by a terminal server session or for Linux using SSH. Configuration for this on the firewall is a single firewall rule for either SSH (Port 22) or MS RDP (port 3389) from outside to the jump virtual machine.
  • Setup multiple port forwarding rules on the firewall
    • To access virtual machines you will need to setup specific rules for each server to forward ports to backend servers. For example if we had 5 Linux machines that needed SSH access from the public internet and you only had 1 public IP address, you could setup port forwarding rules as follows to allow this:
      • WAN Address Port 8022 forwards to port 22 on virtual machine 1
      • WAN Address Port 8023 forwards to port 22 on virtual machine 2
      • WAN Address Port 8024 forwards to port 22 on virtual machine 3
      • WAN Address Port 8025 forwards to port 22 on virtual machine 4
      • WAN Address Port 8026 forwards to port 22 on virtual machine 5
    • The disadvantages of this, is that you will need to remember which port maps to which server.
  • Utilize multiple public IP addresses from the Shared Internet Access (SIA) range, and implement 1:1 NAT on each interface.
    • To access the virtual machines, you can configure multiple public SIA addresses on the pfSense firewall (instructions can be found at http://cloudhelp.claranet.com/content/getting-started-pfsense-firewall-image).
    • Each pfSense firewall can only have 8 interfaces, so if you have two VLANs in the private range where you deploy your virtual machines, then you are limited to 6 public IP addresses, 6 1:1 NAT rules, and 6 virtual machines that are directly accessible.
  • Use a routed DIA range
    • Using this method you can have a range of IP addresses allocated to you that can be mapped as a Virtual IP (VIP) address on your firewall and then 1:1 NAT can be achieved for as many public IP addresses you have purchased.
    • Unless there is no other way of achieving your business goal, this should not be used, this is due to the exhaustion of the IPV4 network range, see http://www.ripe.net/internet-coordination/ipv4-exhaustion/business-and-enterprise for information.
  • Use a MPLS connection with Claranet’s industry leading 3G network
    • Claranet have an industry leading wireless service that connects a 3G Dongle or 3G Router device directly into a secure private MPLS network (no traffic traverses the internet), see http://www.claranet.co.uk/networks/wireless-services.html for details.
    • This means that you can access virtual machines directly and securely from your PC or laptop.
  • Use an SSL VPN.
    • It’s a simple process to configure the pfSense firewall image to create a secure private tunnel directly into your VDC infrastructure. This can scale to many users and the users can directly access the virtual machines in your VDC account. This can be used in conjunction with many of the above methods to add flexibility, for example you could use a MPLS connection for users in static locations and use a SSL VPN connection for roaming users.
    • A post on how to set this up is located at http://www.fearn.me.uk/using-a-ssl-vpn-to-secure-administrative-access-to-your-enterprise-in-the-claranet-vdc/ 

This post focuses on using a routed Direct Internet Access (DIA) range.

Install the pfSense Firewall

There is a special edition that includes the SSL VPN Client Export functionality that needs to be installed. This can be obtained from the following location http://www.fearn.me.uk/vdc/pfsense-vpn.vmdk , this will need to be imported into your VDC account.

Obtain the image at the above location, and using an FTP client upload to importer-uk-gsl2.cloud.claranet.com using your VDC account details as logon credentials.

After a few seconds the import process will complete and the image will appear in your application library, you may need to click on the refresh button highlighted in red below:

image

You will need to deploy the pfSense SSL VPN edition using the standard methods, making sure that you allocate an IP address from your DIA range for the WAN interface and make sure the WAN interface is is the first interface configured in the network section of the configuration.

The image has the following defaults:

  • 1 vCPU, 1024MB Memory, 8GB Disk Space.
  • Administrator Accounts:
    • Admin username – admin
    • Admin password – v1rtu4LDC
    • Superuser user name – superuser
    • Superuser password – v1rtu4LDC
  • Management interface accessible on WAN interface via HTTPS on port 9443
    • https://<WAN IP>:9443
    • Replace <WAN IP> with your WAN IP Address.

To configure the WAN interface first deploy the pfSense SSL VPN edition and when configuring the instance, select the network tab:

image

Click the image button to add an IP address.

Select the External Tab, and then select one of the DIA range IP addresses.

image

 

Make sure that the external DIA IP address is the first IP address in the list and also that the default route is listed in the same range as the DIA IP address.

image

When complete click on the Save button. Then deploy the machine as normal.

 

Configuring the pfSense Firewall

Logon to the firewall on the management interface (listed above) using an administrator’s account.

image

When logged on select System –> Advanced

image

Then the Firewall/NAT tab:

image

Then click ‘Disable reply-to on WAN rules’ check box.

image

Click ‘Save’. Next, go to the ‘System’ menu, ‘Advanced’ and click on the ‘Networking’ tab. Click ‘Suppress ARP messages’:

image

Click ‘Save’ to finish.

Next add the Virtual IP addresses by selecting Firewall -> Virtual IPs

image

On the ‘Virtual IPs’ tab, click the clip_image002[5] button to add a virtual IP address.

image

Make sure that you enter the details as shown above, with the exception of the IP Address and the description.

Click ‘Save’ to finish.

Click the ‘Apply changes’ button.

image

Next select Firewall->NAT

image

Select the 1:1 tab

image

Click the clip_image002[7] button to add a 1:1 NAT rule.

image

Enter the details as shown above, with the exception of the External subnet IP, Internal IP and the Description.

Click ‘Save’ to finish.

Click the ‘Apply changes’ button to apply the changes just made.

image

Finally we need to add a rule to allow traffic through.

Select Firewall – > Rules

image

Click the bottom most clip_image002button to add a new rule.

image

Enter the details shown above, with the exception of the Destination, Destination port range, and Description, changing these to be the rule you want to apply.

Note the destination IP address is the Internal IP Address you added when creating the 1:1 NAT rule above. And not the external IP address, this is because the NAT rule is applied first before the firewall rules are evaluated.

Click ‘Save’ to finish.

Click the ‘Apply changes’ button.

image

The 1:1 NAT should now be in place.

Assuming in our example you have an server running on 192.168.0.2 with a web server running, when you use your browser to visit 213.253.26.181 (in our example) a web page should now be displayed, as shown below.

image