Two WAN's one LAN and one DMZ and the problem is NAT –> DMZ

msatter

Hi,

I am sorry to ask help again however I tried for two day's read a lot however I can't get it working.

Situation:

two WAN's each with a static IP and no loadbalancing (physical ports)
one LAN on 192.168.1.0/24 and one DMZ on 192.168.2.0/24 (physical ports)

I got two HTTP servers and one is on the LAN and the other is on the DMZ. The one one the LAN is working perfectly through NAT:port fowarding through wan1 or wan2 however the DMZ is not working and I get CLOSED:SYN_SENT and SYN_SENT:CLOSED so I think the traffic is going through different gateway's and gets blocked.

I tried default gateways and the correct gateway for that traffic back through the WAN the package came in and it did not work. I tried 'Disable NAT Reflection' with no result and even 'Enable advanced outbound NAT' to generate the rules and it did not help.

What am I missing here??

I hope someone can help me to solve this problem that is keeping me busy for two day's.

Regards, Marcel

hoba

I have exactly this setup at the office, Server with portforwards in the DMZ, some other portforwards to my LAN. Btw, my DMZ hosts are not allowed to go anywhere (no rule at DMZ interface). This setup runs policybasedrouting and loadbalancing and utilizes natreflection for the lan clients to access the dmz hosts by the public IP. I guess you simply have something wrong with your portforwards and/or firewallrules.

msatter

Thank yuo Hoba and do you have a gateway filled in on DMZ and if so which one?

update: NAT reflection is working so I don't have to make rules from the lan–>dmz anymore.

Marcel

@hoba:

I have exactly this setup at the office, Server with portforwards in the DMZ, some other portforwards to my LAN. Btw, my DMZ hosts are not allowed to go anywhere (no rule at DMZ interface). This setup runs policybasedrouting and loadbalancing and utilizes natreflection for the lan clients to access the dmz hosts by the public IP. I guess you simply have something wrong with your portforwards and/or firewallrules.

hoba

The DMZ should have no gateway as it is no WAN. If you enter a gateway there and don't use advanced outbound NAT it will automatically enable NAT on the interface which you don't want.

msatter

Hi Hoba,

Thanks for your help and I know now why it didn't work.

The situation is I got a WatchGuard firewall and I am testing and preparing the pfSense to replace the WatchGuard. I switch between the two firewalls by changing my gateway.

The problem was that the NAT was not working not the gateway's on pfSense nor the the clients or DSL modems. It was much simpler and I just did not thought of it.
I forgot that the gateway of the webserver was pointing to the WatchGuard instead of the pfSense so I got a syncblock. When I changed the configuration and put a second networkcard in the webserver I could route the traffic to the correct firewall.

Life is a learning process so next time I will be better in solving these kind of things…....I hope ;D

Marcel