Subnet 2 and DMZ have no Internet access.

sganarelle

Ok I got the 192.168.2.1 subnet connected to the internet. Thank you  How secure is the default rule?  I dont want anybody to be able to ping my firewall.  I would like to be able to use Bittorrent.

This Firewall is replacing a linksys firewall/router appliance so I am new to a lot.

Now I would like to start configuring the rule for the DMZ.  I am new to rule configuration.
For my DMZ I will have a webserver, email server and a VoIP server, Asterisk, which will be running SIP.  I dont want ICMP capability.  I would like to be able to SSH into each from the outside.

Thanks for the help.

hoba

The way you now have set it up is that the internal interfaces can talk to each other  and every interface can go out to the internet. Still nothing is let in from WAN as there is no pass rule at WAN present. For your DMZ you typically want something like this:

block proto any source DMZ-subnet destination LAN-subnet
block proto any source DMZ-subnet destination OPT1-subnet
pass proto any source DMZ subnet destination any

This way DMZ can go out to the internet but can't access LAN and OPT1. OPT1 and LAN still can access each other and also can access the DMZ. Note that rules order is important.

For your incoming connections you need portforwards at firewall>nat, portforward tab. Make sure you have "autocreate firewall rule" at the bottom of the add NAT entry checked.

To allow SSH to all your machines you have to use different ports at WAN for the forwards like
forward port 22 to asterisk-IP port 22
forward port 23 to webserver-IP port 22
…
and so on.

sganarelle

Hoba– Thank you for your help.
Last night I hooked up my Asterisk box (Asterisk@Home distro).  It has an ip address of 192.168.3.2.    I cannot access it from my workstation that is on the .1.x subnet.  I thought that the firewall rules you gave me would allow me from any subnet to access any computer on the .2.x or the .3.x subnets.  How do I go about rectifying this problem?  Asterisk@Home is configured through AMP, Asterisk Management Portal, a webgui.  I was trying to access the box through that and ssh.

Thanks

sullrich

Make sure you are running an image from: http://www.pfsense.com/~sullrich/1.0-BETA1-TESTING-SNAPSHOT-1-24-06/

sganarelle

can i use the auto update feature to intstall that?

i installed from the livecd that i downloaded from the download area.  i installed pfsense over this past weekend.

where is the version number?

sullrich

manual update.

as it has been mentioned atleast 100 times in this forum alone, auto update is being worked on.

sganarelle

do i want the 27 meg file or the 2 meg file?
I'm new to pfsense and i havent fully read through the forums.

Thanks for the help.

hoba

2 mb is for embedded versions, 29 mb is for harddisk installs.

sganarelle

where is the channel log located?  i looked under the blogs and tutorials and the faq but never seem to have found it.

I am still having my problem of being unable to access AMP from my .1.x subnet.  the asterisk box is on the .3.x subnet

Any ideas?

hoba

check firewall logs if something is blocked. if you see blocks your rules are not set up correctly. if you don't see blocks check if all your machines have the pfsense as gateway ip at their local interface. You might as well test that with traceroute from both ends to the other end to see where it stops. you should see only one hop.

sganarelle

ok
if i am on a copmuter in the 192.168.1.x subnet i can successfully ping the interfaces for the .2.x(lan 2) and the .3.x(DMZ) subnets.  i cannot ping any IP addresses after .2.1 or .3.1.
i am at a computer of IP address of .2.2 or higher or .3.2 or higher i can only successfully ping the .2.1 or .3.1 address but NOT the .1.1 address.
i also CANNOT ping a .3.x from .2.x and the inverse of that is true as well.
The .2.1 subnet has internet access.
When I try to ping any address other than what is within(outside) the subnet i am recieve this message: Destination Host Unreachable

I ran traceroute but I dont exactly know what response i am looking for.  What response do i want?  The route should not be too many hops as its just a couple of NICs.

Thanks

jeroen234

do you have setup the firewall rulles for ping ?
if you put on the lan tab the opt1 tab and the opt2 tab this rule
icpm * * * * *

then they can ping lan network opt1 netwerk opt2 network and the internet