๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ

Development/Infra & DevOps

pfSense ์™€ ํ•จ๊ป˜ ์ธํ„ฐ๋„ท ์‚ฌ์šฉํ•˜๊ธฐ

๋ฐ˜์‘ํ˜•

(์ธ๋„ค์ผ) pfSense์™€ ํ•จ๊ป˜ ์ธํ„ฐ๋„ท ์‚ฌ์šฉํ•˜๊ธฐ

๐Ÿ“ก pfSense ์•Œ์•„๋ณด๊ธฐ

pfSense๋Š” ์˜คํ”ˆ์†Œ์Šค ๋ฐฉํ™”๋ฒฝ ์†Œํ”„ํŠธ์›จ์–ด์ž…๋‹ˆ๋‹ค. ๋ฐ์Šคํฌํ†ฑ์ด ๋  ์ˆ˜๋„ ์žˆ๊ณ , ์„œ๋ฒ„ ๋˜๋Š” VM ๋“ฑ ์ปดํ“จํ„ฐ์— ์„ค์น˜ํ•ด์„œ ์‚ฌ์šฉํ•˜๋Š” ๋ฐฉํ™”๋ฒฝ์ž…๋‹ˆ๋‹ค. pfSense์˜ ๋ชจ๋“  ๊ธฐ๋Šฅ์„ ์“ฐ์ง€๋Š” ์•Š์ง€๋งŒ.. DHCP ์„œ๋ฒ„, NAT ๋“ฑ ๊ฐ€์ •์—์„œ ์“ฐ๋Š” ๊ณต์œ ๊ธฐ ์ด์ƒ์˜ ๊ธฐ๋Šฅ์„ ์ง€์›ํ•ฉ๋‹ˆ๋‹ค.

์ œ ๊ฒฝ์šฐ ๋ฏธ๋‹ˆ PC๋ฅผ ๊ตฌ์ž…ํ•˜์—ฌ(์•Œ๋ฆฌ์ต์Šคํ”„๋ ˆ์Šค์—์„œ ๊ตฌ๋งค) pfSense๋ฅผ ์˜ฌ๋ฆฐ ํ›„ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

 

[pfSense๋Š” ๊ณต์‹ ๋ฌธ์„œ]๊ฐ€ ์กด์žฌํ•˜๊ณ , ์˜์–ด๋งŒ ๊ฐ€๋Šฅํ•˜๋‹ค๋ฉด ์ตœ๊ณ ์˜ ์„ค๋ช…์„œ์ž…๋‹ˆ๋‹ค. ๋‹ค๋งŒ, ํ•œ๊ตญ์–ด ์ž๋ฃŒ๋Š” ๋ถ€์กฑํ–ˆ๊ณ  2021๋…„ 5์›”๋ถ€ํ„ฐ ์ง€๊ธˆ๊นŒ์ง€ ๊ฒช์—ˆ๋˜ ์‹œํ–‰์ฐฉ์˜ค๋ฅผ ์ •๋ฆฌํ•˜๊ณ ์ž ํ•ฉ๋‹ˆ๋‹ค. ๋ณด์•ˆ ๋˜๋Š” ๋„คํŠธ์›Œํฌ์™€ ๊ด€๋ จ๋œ ์ „๋ฌธ์  ์ง€์‹์„ ๊ฐ€์ง€๊ณ  ์“ฐ๋Š” ๊ธ€์ด ์•„๋‹™๋‹ˆ๋‹ค. ๋” ๋‚˜์€ ๋ฐฉ๋ฒ•์ด๋‚˜ ์ž˜๋ชป๋œ ์ง€์‹์ด ์žˆ๋‹ค๋ฉด ๋Œ“๊ธ€๋กœ ์•Œ๋ ค์ฃผ์„ธ์š”! ๐Ÿคฃ

 

์‹œ์ž‘ํ•˜๊ธฐ ์ „์—, ๊ธ€์„ ์“ฐ๋Š” ์‹œ์ ์œผ๋กœ pfSense 2.5.1 ๋ฒ„์ „์„ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๊ตฌ๋ฒ„์ „์ด๋‚˜ ์ดํ›„ ๋ฒ„์ „์—์„œ๋Š” ํ•ด๋‹น ๊ธ€๊ณผ ๊ตฌ์„ฑ์ด ๋‹ค๋ฅผ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

1. ๊ธฐ์กด ๊ณต์œ ๊ธฐ(AP)์™€ ํ•จ๊ป˜ ์‚ฌ์šฉํ•˜๊ธฐ

๋‚ด์žฅ(์™ธ์žฅ) ์•ˆํ…Œ๋‚˜๊ฐ€ ์žˆ์œผ๋ฉด pfSense ์™€์ดํŒŒ์ด ๊ธฐ๋Šฅ์„ ์ด์šฉํ•ด ์™€์ดํŒŒ์ด ๊ณต์œ ๊ธฐ(Access Point; AP)๋ฅผ ๋Œ€์ฒดํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ๋‹ค๋งŒ pfSense ์™€์ดํŒŒ์ด ์„ฑ๋Šฅ์ด ์•ˆ ์ข‹์•„ ๋น„์ถ”์ฒœํ•œ๋‹ค๋Š” ์˜๊ฒฌ์ด ๋งŽ์•˜๊ณ  ์ €๋Š” ๊ธฐ์กด์— ์“ฐ๋˜ ๊ณต์œ ๊ธฐ๊ฐ€ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ์žฌํ™œ์šฉํ•ด์„œ ์‚ฌ์šฉํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

๋ณ„๋„ ์„ค์ • ํ•„์š”์—†์ด pfSense์—์„œ ๋‚˜์˜ค๋Š” ์„ ์„ ๊ณต์œ ๊ธฐ์˜ WAN์— ์—ฐ๊ฒฐํ•ด์ฃผ๊ณ  ๊ณต์œ ๊ธฐ ์„ค์ •์—์„œ ๋ธŒ๋ฆฌ์ง€ ๋ชจ๋“œ๋กœ ๋ฐ”๊ฟ”์ฃผ๋ฉด ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

pfSense Interfaces

์ €์˜ ๊ฒฝ์šฐ 3๊ฐœ์˜ ์ธํ„ฐํŽ˜์ด์Šค๋กœ ๋ถ„๋ฆฌ๋ผ์žˆ์Šต๋‹ˆ๋‹ค. WAN๊ณผ LAN ๊ทธ๋ฆฌ๊ณ  ๊ณต์œ ๊ธฐ์™€ ์—ฐ๊ฒฐ๋ผ์žˆ๋Š” APWIFI ์ธํ„ฐํŽ˜์ด์Šค์ž…๋‹ˆ๋‹ค. (APWIFI๋Š” ์ œ๊ฐ€ ๋งŒ๋“  ์ธํ„ฐํŽ˜์ด์Šค์ž…๋‹ˆ๋‹ค) LAN๊ณผ APWIFI๋Š” ๋ธŒ๋ฆฌ์ง€๋กœ ๋ฌถ์–ด ์‚ฌ์šฉํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

 

pfSense Bridge

Interfaces > Interface Assignments > Bridges ๋ฉ”๋‰ด์—์„œ ๊ด€๋ จ ์„ค์ •์„ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

์ด๋ ‡๊ฒŒ ์„ค์ •์„ ๋งˆ์น˜๋ฉด, ๊ณต์œ ๊ธฐ๋ฅผ ํ†ตํ•ด ์—ฐ๊ฒฐ๋˜๋Š” ๋””๋ฐ”์ด์Šค๋Š” pfSense์˜ DHCP ์„œ๋ฒ„๋ฅผ ํ†ตํ•ด IP๋ฅผ ํ• ๋‹น๋ฐ›๊ฒŒ ๋˜๊ณ  ๊ธฐ์กด ๊ณต์œ ๊ธฐ๋Š” AP์˜ ์—ญํ• ๋งŒ ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

2. NAT์„ ์„ค์ •ํ•ด๋„ ์ธํ„ฐ๋„ท์ด ์•ˆ๋˜๋Š” ๋ฌธ์ œ

NAT, NAT Reflection, ํฌํŠธ ํฌ์›Œ๋”ฉ ๋“ฑ์„ ์„ค์ •(ํ•ด๋‹น ๋‚ด์šฉ์€ 3๋ฒˆ์—์„œ ์„ค๋ช…ํ•ฉ๋‹ˆ๋‹ค) ํ•ด๋„ ๋„คํŠธ์›Œํฌ ์ ‘๊ทผ์ด ์ œ๋Œ€๋กœ ์•ˆ ๋˜๋Š” ๋ฌธ์ œ๊ฐ€ ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค.

 

  • NAT Reflection์„ ์„ค์ •ํ•ด๋„ ๋‚ด๋ถ€๋ง์—์„œ ์™ธ๋ถ€ IP(๋„๋ฉ”์ธ)๋ฅผ ์ด์šฉํ•ด ์ ‘๊ทผ์„ ๋ชปํ•˜๋˜๊ฐ€
  • OpenVPN ๊ตฌ์ถ• ์‹œ ์—ฐ๊ฒฐ์ด ์•ˆ๋๊ณ 
  • ๊ธฐํƒ€ VPN์„ ์ด์šฉํ•ด๋„ ๋‚ด๋ถ€๋ง ์ ‘๊ทผ์ด ๋ถˆ๊ฐ€๋Šฅํ–ˆ์Šต๋‹ˆ๋‹ค.

 

Upstream Gateway

๋ฌธ์ œ ์›์ธ์€ LAN ์ธํ„ฐํŽ˜์ด์Šค์˜ Upstream Gateway๊ฐ€ ์„ค์ •๋˜์žˆ๋˜ ๋ฌธ์ œ๋กœ, None์œผ๋กœ ์„ค์ •ํ•ด์ฃผ๋ฉด ํ•ด๊ฒฐ๋ฉ๋‹ˆ๋‹ค. (์›์ธ์„ 5๊ฐœ์›”๋™์•ˆ ๋ชจ๋ฅด๊ณ  ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค...)

3. NAT, ํฌํŠธ ํฌ์›Œ๋”ฉ ์‚ฌ์šฉํ•˜๊ธฐ

๊ณต์œ ๊ธฐ๋Š” ์—ฌ๋Ÿฌ ๋Œ€์˜ ๋””๋ฐ”์ด์Šค๋ฅผ ์ง€์›ํ•˜๊ธฐ ์œ„ํ•ด NAT(Network Address Translation) ๊ธฐ๋Šฅ์„ ์ œ๊ณตํ•ฉ๋‹ˆ๋‹ค. ์ด๋•Œ ๋‚ด๋ถ€ ํฌํŠธ์™€ ์™ธ๋ถ€ ํฌํŠธ๋ฅผ ์—ฐ๊ฒฐ(๋งคํ•‘)ํ•ด์•ผ ํ•˜๋Š”๋ฐ, ๋Œ€๋ถ€๋ถ„์˜ ๊ณต์œ ๊ธฐ์—์„œ๋Š” ํฌํŠธ ํฌ์›Œ๋”ฉ์ด๋ผ๋Š” ์šฉ์–ด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์ œ๊ณตํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค.

 

๋จผ์ € NAT ๊ธฐ๋Šฅ์„ ์„ค์ •ํ•ด์ค˜์•ผ ํ•ฉ๋‹ˆ๋‹ค. Firewall > NAT > Outbound ๋ฉ”๋‰ด์—์„œ Automatic outbound NAT rule generation. ๋ชจ๋“œ๋กœ ํ•ด์ฃผ๋ฉด ๋ณ„๋‹ค๋ฅธ ์„ค์ • ์—†์ด ์ธํ„ฐ๋„ท์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

ํฌํŠธ ํฌ์›Œ๋”ฉ์€ ๊ฐ™์€ ํƒญ์˜ Port Forward ๋ฉ”๋‰ด์—์„œ ๊ฐ€๋Šฅํ•ฉ๋‹ˆ๋‹ค.

 

  • Address Family๋Š” IP ๋ฒ„์ „
  • Protocol๋Š” ํ”„๋กœํ† ์ฝœ
  • Destination๋Š” WAN์œผ๋กœ
  • Destination port range ๊ทธ๋ฆฌ๊ณ  Redirect target port๋Š” ๋Œ€์ƒ ํฌํŠธ
  • Redirect target IP๋Š” ๋‚ด๋ถ€IP๋ฅผ ์ž…๋ ฅํ•ด์ฃผ๋ฉด ๋ฉ๋‹ˆ๋‹ค.

Destination port range ์˜ต์…˜์€ ๋ฒ”์œ„ ์ง€์ •์ด ๊ฐ€๋Šฅํ•˜๋ฉฐ, ์ด ๊ฒฝ์šฐ Redirect target port ์˜ต์…˜์— ์‹œ์ž‘ ํฌํŠธ๋งŒ ๋„ฃ์–ด์ฃผ๋ฉด ๋ ํฌํŠธ๋Š” ๊ณ„์‚ฐํ•ด์„œ ์ ์šฉ๋ฉ๋‹ˆ๋‹ค. ๋˜ํ•œ ํฌํŠธ ํฌ์›Œ๋”ฉ ์ถ”๊ฐ€ ์‹œ ์ž๋™์œผ๋กœ ๋ฐฉํ™”๋ฒฝ์— ๊ทœ์น™์ด ์ถ”๊ฐ€๋ฉ๋‹ˆ๋‹ค.

 

ํฌํŠธ ํฌ์›Œ๋”ฉ ์„ค์ • ํ›„ ๋‚ด๋ถ€๋ง์—์„œ ์™ธ๋ถ€ IP(๋„๋ฉ”์ธ)๋ฅผ ์ด์šฉํ•ด ์ ‘๊ทผ์ด ๋ถˆ๊ฐ€๋Šฅํ•œ ๋ฌธ์ œ๊ฐ€ ์ƒ๊น๋‹ˆ๋‹ค. ์ด๋Š” NAT Reflection(NAT Loopback) ์˜ต์…˜์„ ํ™œ์„ฑํ™”์‹œํ‚ค๋ฉด ํ•ด๊ฒฐ๋ฉ๋‹ˆ๋‹ค. System > Advanced > Firewall & NAT > Network Address Translation ๋ฉ”๋‰ด์—์„œ ์•„๋ž˜์™€ ๊ฐ™์ด ์„ค์ •ํ•˜๋ฉด ํ•ด๊ฒฐ๋ฉ๋‹ˆ๋‹ค.

 

NAT Reflection ์„ค์ •

๋งˆ๋ฌด๋ฆฌ

ํ™ˆ๋„คํŠธ์›Œํฌ, ํ™ˆ๋žฉ์— ๊ด€์‹ฌ์„ ๊ฐ€์ง€๋ฉด์„œ ์‹œ์ž‘ํ•˜๊ฒŒ ๋๋Š”๋ฐ ์•„์ง๋„ ๋ชจ๋ฅด๋Š” ๋‚ด์šฉ์ด ๋งŽ์Šต๋‹ˆ๋‹ค. ๋‹ค์Œ์—๋„ ๊ณต์œ ํ•  ๋‚ด์šฉ์ด ์ƒ๊ธฐ๋ฉด ๊ด€๋ จํ•ด์„œ ์จ๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค! ๐Ÿ˜€

 

 

๋ฐ˜์‘ํ˜•