Need Help Setting Up DMZ - Close to giving up on pfSense

XclntONE

Okay, I started from a clean slate.  Setup my WAN, LAN, and DMZ (OPT1) interfaces.  I have the WAN my external IP and /26 subnet.  I setup the rules for HTTP, HTTPS, FTP, SMTP, POP3 and IMAP for my LAN.  I have DHCP enabled on my LAN and temporarily enabled on my DMZ (for testing purposes).  I would like to in the end once I can get in and out of my DMZ use static IPs and 1:1 NAT.

Based upon this basic setup I would assume that I could add similar rules as I did for my LAN, HTTP & HTTPS and be able to browse the web.  At this point I can't. How is the DMZ handled differently and what do I need to do?

I turned on the logging on the rules I set for the DMZ and I am getting nothing showing up in the logs.

GruensFroeschli

Are in your DMZ public IP's?
Could you maybe show screenshots of how your rules look like?

XclntONE

right now i am not using public ips in my dmz.  the machine inside the dmz has a 192.168.2.* address assigned by dhcp.  i am just trying to get out.  Then I am going to get to the 1:1 and the public ip setup.

GruensFroeschli

I somehow think you messed up the rules if you can get to the internet from the LAN but not from the DMZ.
Could you show screenshots?

Kris.J

@XclntONE:

Okay, I started from a clean slate.  Setup my WAN, LAN, and DMZ (OPT1) interfaces.  I have the WAN my external IP and /26 subnet.  I setup the rules for HTTP, HTTPS, FTP, SMTP, POP3 and IMAP for my LAN.  I have DHCP enabled on my LAN and temporarily enabled on my DMZ (for testing purposes).  I would like to in the end once I can get in and out of my DMZ use static IPs and 1:1 NAT.

Based upon this basic setup I would assume that I could add similar rules as I did for my LAN, HTTP & HTTPS and be able to browse the web.  At this point I can't. How is the DMZ handled differently and what do I need to do?

I turned on the logging on the rules I set for the DMZ and I am getting nothing showing up in the logs.

Hmmmm… "rules for HTTP, HTTPS, FTP, SMTP, POP3 and IMAP for my LAN"...

Have you defined rules with the WAN as the source and the DMZ as the destination for the same services?

I assume you've made the rules you describe above with the LAN as the source and the DMZ as the destination?

Personally, I would permit all IP from LAN to DMZ for starters.

Kind of in this order is how I think I would proceed:

1.  Create Aliases for my DMZ hosts.

2.  Create Virtual IPs for the public IPs out of my /26 that I'm going to use for 1:1 NAT to DMZ hosts
You do not really need to NAT LAN:DMZ IPs.

3.  Setup specific firewall rules for WAN access to my DMZ hosts.
Very few and very small holes, just enough for what services we need to expose to the public.

4.  Setup a firewall rule that allows all IP from LAN to DMZ.  the LAN is fully trusted, the DMZ is semi-trusted, and the WAN is not trusted.
So, packets that are sourced in the fully trusted network should be allowed to go wherever they want pretty much, right?

5.  Setup specific firewall rules that allow DMZ hosts access to LAN stuff.
Very few and very small holes, just enough for the DMZ hosts to function and communicate with what they need on the LAN.

Basically, I like to lay things out and think of them as how much I trust each of the three networks.

WAN:  not trusted
DMZ: semi-trusted
LAN: fully trusted

Then, think about the direction of traffic flow:  from a more trusted network to a less trusted network we don't need to worry about so much; but from a less trusted network to a more trusted network, we need to firewall the crap out of that.

Hope this helps!

Kris.J

Oh, and numbering!

WAN:  use your public IPs out of your /26  (I'm jealous, that's a nice sized chunk your ISP gave you!)  ;)

DMZ:  use your private static IPs for your DMZ hosts, no dhcp.

LAN: use a private subnet, different than your DMZ subnet.

here is how I would number it:

LAN:  10.10.x.x/16 - dhcp pool for workstations 10.10.1.x/16  everything else statically assigned with the 3rd octet a number specific to the type of device.  240 for servers, 254 for routers/gateways, 252 for switches, 253 for WAPs, etc.

DMZ:  10.9.x.x/16  - no dhcp, same scheme as above, all statically assigned

WAN: whatever out of my /26 of publics

XclntONE

Okay, I created an alias for my test host that is in my dmz.  I assigned the Virtual IP and I did a 1:1 mapping for that host.  On the firewall rules I have rules on the WAN interface that are set to TCP Any Source Any Source Port -> Destination www1 (alias for host) TCP 80 and I am still getting nothing.  I can't access it from the outside and from inside my DMZ I cannot browse the web even though I have the rules on the DMZ interface set to Source=DMZ Subnet * * Destination Port TCP 80.  Where am I going wrong?

XclntONE

LAN Rules

WAN Rules

DMZ Rules

Here are my current rules.  What needs to be changed and what is correct?

kpa

Change the LAN rules to have just one rule that allows anything to anywhere. Do the same for DMZ. You are not listing your NAT mappings, do you have a port forward for port 80 from the WAN address to the www server on your dmz? Once you get it working using the simplest method you can start adding things like 1:1 NAT and more restrictive firewall rules between DMZ and LAN.

XclntONE

My LAN is working fine.  The rules work on my LAN just as they are put in.  My DMZ however is where all of the trouble is.  No matter what rules I put in I get no results.

XclntONE

Okay, I just tried on my DMZ interface allowing the DMZ subnet to Any Dest and Any Port and I am getting nothing.  I can't browse the web from inside the DMZ.  I can access pfSense from inside the DMZ so I am sure its a config setting and not hardware.

vito

From your one screen shot, i see 80 and 443
How about DNS? (53)

Can you ping something like 4.2.2.2 from your DMZ box?

Sorry, you probably can not ping either…
Try getting an ip of a web server then telnet to the IP on 80 to see if you get a response. (like yahoo's ip)
go to the command line
ex: telnet 1.1.1.1 80
(make sure you put a working ip in there) :) test this from inside your LAN to see the results first
If 80 is getting out, you should get a blank screen in windows

XclntONE

I have it figured out now.

I set my DMZ to bridge with the WAN and then made sure that bridge filtering was enabled.

Then I set the rules for WAN -> DMZ and DMZ -> WAN accordingly and now everything is working 100%.

Next tough thing is going to be migrating the web data to the new servers on the new ips.  But I guess that would be right for another forum?.? Anyone here have any experience with migrating shopping carts from one server to another during a DNS migration?