One DMZ host can be reached through WAN, the other can't

mike_c

We have, what I think, is a fairly typical 3-homed FW/DMZ setup.

Internet 
    | 
GroupTel
    |
Our SW1
    | 
Our FW (pfsense) 
    |
Our SW2
    |
----------------
|                    |
LAN               DMZ  (OPT1)
|                    |  
desktops          public servers

if it matters:  pfSense 1.0.1-SNAPSHOT-03-27-2007-pfSense

Let's say for a moment if I have two servers in the DMZ (host1, host2) that are essentially the same hardware, OS, services running on them, etc.

From the internet then (like, from home), I can telnet host1:80 no problem, but I cannot telnet host2:80. The FW rule that passes *.80 to host1 is precisely the same as the one for host2. I've tried to delete the rule and make completely from scratch.  i've tried copying the rule that works for host1, and modifying it to point to host2. I've even tried a hard restart of the FW.

I've broken out tcpdump and host1 sees tonnes of traffic. host2 practically none (ICMP and NTP stuff, but that's about it).

I've also looked at tcpdump on the FW itself, and I can't see any traffic that is destined for host2 (I do see it for host1).  my tcpdump command looks like:

tcpdump -n port 80 | grep 'host2.ip.address'

As an experiment, I disconnected host2 from SW2, and put it right up on SW1 (beside the firewall, not behind it)… the internet can now see host2.

Does this smell like a problem with the 'upstream provider', or might it still be something I need to do to either FW or SW1 ? (and what might that be?) I can't get past that tcpdump on FW saw no traffic destined for host2.. it makes me think it's an upstream problem.

I'm very un-experienced, but might it be the upstream provider's ARP tables are not updated?  (Or does that have nothing to do with this?)

GruensFroeschli

Are the IP's in your DMZ public IP's.
Are you using VIP's on your WAN?
Are the servers in the DMZ on the same physical network than your clients? (–>bad practice).

From what you wrote above you do not have any NAT forwardings which you might need.

Search the forum for possible "Server-in-DMZ-setups".

jahonix

@mike_c:

As an experiment, I disconnected host2 from SW2, and put it right up on SW1 (beside the firewall, not behind it)… the internet can now see host2.
Does this smell like a problem with the 'upstream provider',

No, quite the opposite. Upstream seems fine, your pfSense ruleset and NAT should be questioned.
Refer to GruensFroeschli's post and provide some more infos.

mike_c

Are the IP's in your DMZ public IP's.
yes.

Are you using VIP's on your WAN?
Virtual IP's?  We have a number of them, but none for host1 or host2.  Do we need them if they have public IPs?

Are the servers in the DMZ on the same physical network than your clients? (–>bad practice).
No, sorry I was lazy/stupid in my diagram. there's two switches behind the fw, one for LAN, one for DMZ.  (Is that what you meant?)

NAT fowarding
we do have a number of NAT forwards set, but none for host1 or host2.  host1 works fine w/o one, and both host1 and host2 have public IPs.  All our NATs  are there to connect some public IP to a 10.0.0.x address on the LAN.

GruensFroeschli

There are two possible setups:
1: Bridge your DMZ to your WAN and use pfSense as a filtering bridge. Your servers will have the public IP and have the next router before your pfSense as gateway.

2: Have VIP's for each public IP you have on your WAN and your servers have private IP's. Then 1:1 NAT or just forward the needed ports to your Server from the corresponding VIP.

mike_c

I appreciate the info on how it ought to be done.  And as it happens, I've had it in the back of my mind to do approach #2.  But for right now, I'm still stumped as to why host1 is reachable and host2 is not.

I'd like to understand why that is, before I start making any other network changes.

Perry

As I read your setup it all sounds a bit strange :) I think you'll need to post your rules to clear up what you've done so fare.
What GruensFroeschli suggested is shown here
http://doc.m0n0.ch/handbook-single/#id2604946

mike_c

Interfaces

WAN:        139.142.x.4
Gateway:   139.142.x.254

LAN:          10.0.0.1

OPT1:        Static, Bridged to WAN

Aliases:  None
NAT:  None (that involve either host1 or host2)
VIPS: None (that involve either host1 or host2)

First 3 Rules (WAN tab):

Rule......Proto......source:port.............destination:port
-------------------------------------------------------
block.....rfc 1918 private networks 
allow.....TCP........... *:*.................. 139.142.x.19:80      
allow.....TCP........... *:*.................. 139.142.x.46:80      

The first 'allow' rule works, I can access .19 from the internet.  The second 'allow' rule doesnt work, or, I can't access .46 from the internet

mike_c

Is my config so hideous, you've all turned away?  ;)