Outbound traffic from DMZ not routing to Internet
-
I've been banging my head against the wall on this issue for a couple of days and need some help. I am running 1.2 RC4 (just upgraded from RC3) on a Jetway C7 mobo with a 3x Gbps LAN daughterboard. I am using WAN, LAN, and OPT1 (DMZ) interfaces.
Almost everything works, except that I have an intermittent problem with outbound traffic from the DMZ. I have a server in the DMZ right now. I can connect to OpenVPN on the firewall and get into my server via SSH and VNC no problem, but the server can't get out to the Internet. I have firewall rules set up the way I think they should be to allow outbound traffic, but nothing works. I can get to the firewall from the DMZ, but not past it.
The weirdest part of the problem is that sometimes it works. Last night I was trying to debug the problem, and all of a sudden it started routing out. I was in the middle of using apt-get on my server to install some new packages, and midway through it just cut out and stopped routing packets. I haven't been able to get outbound traffic going since then. I took a laptop and plugged it into the DMZ subnet to check if the issue was with the server, but the laptop couldn't route traffic either.
Here are my DMZ firewall rules:
I am logging packets for the DMZ -> any but LAN rule (which I have duplicated on the WAN if) and it shows the packets being passed. What am I doing wrong?
FYI, I am new to pfSense. I've used m0n0wall for a few years and wanted to upgrade to pfSense for the extra features.
EDIT: Routing from LAN outbound works fine. I have the basic LAN -> any rule set up on the LAN if.
-
@http://forum.pfsense.org/index.php/topic:
If you want to have Internet access from multiple LAN subnets (on various OPTx interfaces) enable Advanced outbound NAT.
You need to create a rule for every subnet you want NAT'ed.
Alternatively you can change the source of single existing rule from LAN to "any" thus NAT'ing everything.
This might create a problem for FTP with multiWAN
more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810also:
@http://forum.pfsense.org/index.php/topic:Rules are processed from top to down.
If a rule catches the rest of the rules is no longer considered.
Per default a "block all" rule is always in place (invisible below your own rules).–> all rules below your second rule are useless.
-
@http://forum.pfsense.org/index.php/topic:
If you want to have Internet access from multiple LAN subnets (on various OPTx interfaces) enable Advanced outbound NAT.
You need to create a rule for every subnet you want NAT'ed.
Alternatively you can change the source of single existing rule from LAN to "any" thus NAT'ing everything.
This might create a problem for FTP with multiWAN
more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810I set this up, still no love. I'm still showing the SINGLE:NO_TRAFFIC messages in states.
also:
@http://forum.pfsense.org/index.php/topic:Rules are processed from top to down.
If a rule catches the rest of the rules is no longer considered.
Per default a "block all" rule is always in place (invisible below your own rules).–> all rules below your second rule are useless.
I knew the last rule was useless, but I thought rules from any -> DMZ would be used. I take it those rules are irrelevant on the DMZ if.
If I can't get this sorted out today, I will be more than happy to pay someone to fix it for me. Please hit me off list cfmunster at gmail if interested in helping me retain my sanity.
Rob
-
UPDATE: I moved the server to the LAN and was able to get out from the server to the Net. Then I changed my 1:1 NAT settings from DMZ addresses to LAN addresses for my server, and I could no longer get out. So it seems the issue is the 1:1 NAT settings. In m0n0wall I used proxy ARP to solve this issue, but I don't see that panel in pfSense. What should I do?
UPDATE: Ah, I got it. Proxy ARP is under Virtual IPs in pfSense. All working now.
