DMZ Basic Setup ???
-
Can someone help me? I thought my setup was basic but it is having problems.
pfsense
WAN public ip
LAN 192.168.100.1/24
DMZ 10.10.10.1/241:1 NAT
server1 10.10.10.10 <–-public ip
server2 10.10.10.11 <---public ipFirewall rules
WAN to LAN Block private
DMZ to LAN Block allI can access the the webinterface on my server in the DMZ via http://10.10.10.10:8080 from the LAN.
I can access the internet via the LANMy problem is everything in the DMZ cannot access the WAN (internet)
They can ping other servers in the DMZ but not the gateway 10.10.10.1 -
Visit Firewall -> NAT -> Advanced outbouind nat. Turn it on. Now duplicate the lan entry for the DMZ subnet.
-
I copyed the one for the WAN, it was the only one there and changed the network address to my DMZ.
Still not working.Do I need oubound firewall rules for the DMZ?
-
How many public IPs do you have? You can't use 1:1 NAT twice with the same public IP. Also you need VIPs for additional public IPs at WAN to be used with 1:1 NAT. Please provide some more details about how your WAN looks like (multiple IPs, static, pppoe, dhcp, …) and what you want to achieve with your setup. A combination of portforward and advanced outbound with VIPs might make more sense depending what you want to do as this then even supports NAT reflection (if turned on).
-
I am trying to
run a web and email server on the DMZ.
protect the LAN from inbound DMZ traffic.
allow LAn to DMZ traffic.My WAN is static with about 15 addresses.
I will try the VIP.
You guys are a great help.
Thanks. -
web and mail is only a bunch of single ports. I would use VIPs with portforwarding for port smtp, pop3, http (https, imap, …if neeeded) and advanced outbound NAT on top. Then enable nat reflection at system>advanced and your lan clients will even be able to access your webserver and mailserver by the public IP.