Cannot reach bridged DMZ from natted LAN
-
Hi all, I'm new to this forum and to pfSense.
I configured a pfSense firewall to connect virtual machines hosted by ovh with transparent bridge following step by step this post:
http://magiksys.blogspot.it/2012/12/pfsense-bridge-gateway-vmware-ovh-ip.htmlAll is working well:
- lan can go through internet
- lan can be reached from internet using firewall ip (natted)
- dmz can go through internet
- dmz can be reached from internet using public ripe block ips
The problem is DMZ can't reach LAN network (and vice versa)
Network map in attachment.
Here are my pfSense config:
RIPE block = 99.x.x.112/28Interfaces:
LAN: static IPv4: 192.168.1.1/24
upstream gateway: None
WAN: static IPv4: 99.x.x.121/28
upstream gateway: 99.x.x.126/28
DMZ: IPv4 Configuration Type: Nonegateway:
WAN 99.x.x.126/28outbound nat:
WAN src: 192.168.1.0/24
dst: *
NATAddress: WAN addressport forward:
WAN src: *
dst: WAN Address
NATIP: 192.168.1.100floating rule:
quick IPv4 ICMP any any no gwI used "Packet Capture" to see what's going on:
ping DMZ->LAN (not working)
ping DMZ 99.x.x.113 -> WAN 99.x.x.121 (natted 192.168.1.100)
iface DMZ: ping req 99.x.x.113 -> 99.x.x.121
iface WAN: ping req 99.x.x.113 -> 192.168.1.100 ??ping LAN->DMZ (not working)
ping LAN 192.168.1.100 -> DMZ 99.x.x.113
iface LAN: ping req 192.168.1.100 -> 99.x.x.113
iface WAN: ping req 99.x.x.121 -> 99.x.x.113
iface DMZ: ping reply 99.x.x.113 -> 99.x.x.121
iface WAN: ping reply 99.x.x.113 -> 192.168.1.100 ??ping WAN->LAN (working)
ping WAN 79.x.x.166 -> LAN 99.x.x.121 (natted 192.168.1.100)
iface WAN: ping req 79.x.x.166 -> 99.x.x.121
iface LAN: ping req 79.x.x.166 -> 192.168.1.100
iface LAN: ping reply 192.168.1.100 -> 79.x.x.166
iface WAN: ping reply 99.x.x.121 -> 79.x.x.166It seems nat is working, but firewall is routing traffic in the wrong iface.
Can someone give me some advice? What do you think is happening?Tell me if you need more info.
Thanks in advance,
Salvatore.
