Need help getting basic rules working
-
I just installed pfSense. Mostly default settings so far. Nothing fancy. I have the following interfaces:
WAN (internet/modem) - 10.1.10.2
LAN (our network) - 10.20.0.100
DMZ (our DMZ network) - 192.168.10.100I'm on a computer on the LAN, trying to SSH to a computer in the DMZ. In the pfSense Firewall Log I can see this:
X May 17 19:30:11 LAN 10.20.0.140:60321 192.168.10.20:22 TCP:S
So thats my computer (10.20.0.140) trying to SSH (port 22) to 192.168.10.20. When I click the "X" it says
The rule that triggered this action is: @65 block drop in log quick all label "Default deny rule"
That's about what I expected.
So next I went to Firewall > Rules > LAN and made the following rule
Proto: *
Source: LAN net
Source Port: *
Destination: DMZ net
Destination Port: *
Gateway: *
Desc: Lan -> DMZSo this should allow anything on the LAN to access anything on the DMZ correct? For some reason it's still not letting my computer through via SSH. It's the only rule I have on there.
What am I missing here?
-
Did you make sure you applied the changes? Did you try a different gateway like default?
-
That is the default value for gateway. Yes I hit Apply Changes.
-
what about the including reverse rule allowing the source DMZ to talk to the destination LAN.
-
what about the including reverse rule allowing the source DMZ to talk to the destination LAN.
Ya, still not working. Okay I changed it up a bit. This is exactly what I have now:
LAN:
Proto Source Port Destination Port Gateway Schedule Description TCP LAN address 22 (SSH) Interface IP address 22 (SSH) * LAN -> DMZ SSH
DMZ:
Proto Source Port Destination Port Gateway Schedule Description TCP Interface IP address 22 (SSH) LAN address 22 (SSH) * DMZ -> LAN SSH
Seems pretty straightforward…. Why isn't it working? These are my only rules....
-
Rules only have an effect on the interface on which a connection is started.
So all rules on the DMZ interface do absolutely nothing for connections comming
from the LAN.
Your error is: you've set in the rule as source "LAN-address"
this means exactly that: the address of the pfsense on the LAN.
I dont think you create the ssh connection from
the pfsense itself, so you should change that to LAN-subnet.
The source-port is always a random number > 1024 and < 65536.
You've fixed it to 22 which will never happen.
The destination is interface address again. This has to be the address of the server
itself. -
You should start with allowing everything to everything on LAN and the same on DMZ, tighten the rules later when you get hang of the system.
Interface address and LAN address mean just what they say, the single ip address assigned to the interface, not the whole subnet connected to the interface. What you want instead is LAN subnet and DMZ subnet if you want to limit by destination in a firewall rule.
-
Ah okay that makes sense. I'll change it up now and get back to you guys. Thanks for the help. I assumed "LAN Address" mean't "Coming from a LAN Address" :-P
-
Bah, still not working. This is what I have:
LAN:
Proto Source Port Destination Port Gateway Schedule Description * LAN net * * * * LAN > Anywhere
DMZ:
Proto Source Port Destination Port Gateway Schedule Description * DMZ net * * * * DMZ > Anywhere
lol I'm not sure how it could be more wide open. Still not able to SSH to that server in the DMZ. Does that server need to have its default gatway set to the pfSense firewall?
Another note, I can't even connect to the internet through my machine. Also, I can't ping anything in the DMZ.
-
Post screenshots of status->interfaces and diagnostic->routes (just the ipv4 part of routes is enough). Blank out any public ip addresses in your screenshots if you don't want to reveal them.
-
Okay I got the internet working. My subnet mask bit for WAN and DMZ was not set to /24 by default. After changing that, I could access the internet. Still no dice on SSHing to the DMZ servers.
-
I'm able to SSH to 192.168.10.100 (the address of the pfSense DMZ interface), but not other servers in 192.168.10.X
-
I'm able to get DNS resolves from our DMZ server which is located in the DMZ
-
Can't ssh to DMZ servers from my computer in the LAN
-
Can't ping DMZ servers from my computer in the LAN
-
I CAN successfully ping DMZ servers from my pfSense machine (via web interface or command-line)
Screenshots otw…
-
-
Now these routes…. I didn't actually set these up anywhere. Are they automatically generated or something?
10.20.0.140 is the computer I'm testing from. It's gateway is set to 10.20.0.100, the pfSense LAN interface
10.20.0.141 is the computer I'm currently typing on. It's gateway is our old/existing firewall
10.1.10.1 is the Comcast Business Cable Modem192.168.10.11 I think is our mail server.
192.168.10.18 and 192.168.10.20 are our DNS servers. These are the machines I've been trying to SSH to from 10.20.0.140.Clear as mud? Thanks for the help by the way. Once I get the hang of pfSense I don't think it will be a problem. Just trying to get past these initial hurdles...
-
Change the computer you're using to ping the DMZ hosts to use pfSense as it's default gateway and it should start working.
-
The pfSense LAN interface is 10.20.0.100. My computer in the LAN already has 10.20.0.100 as its one and only gateway. I'm sorry am I misunderstanding something?
-
Ah sorry, getting tired…
Are the hosts on DMZ using the DMZ interface address as their default gateway?
Try a traceroute or mtr from a LAN host to one of the DMZ hosts.
-
Ah, no the DMZ servers do NOT have their gateway set to the pfSense box. I guess I figured since I could SSH from pfSense directly to a DMZ server, that it didn't matter if I was trying to do the same thing from a computer on the LAN.
So, hopefully that is the problem, but I don't really have a good way to test it at the moment. This is a network for a small business and currently the DMZ servers have their gateway set to the existing firewall. I can't just switch it without causing some mayhem with the business traffic. Is there anyway I can add a secondary gateway or something like that on the servers so I can continue my testing?
Trying to replace a firewall for a business is like trying to change the tires on a moving car :-)
-
Yeah that explains it, the existing firewall does not know what to do with the return traffic destined to pfSense LAN and discards it. A static route on this firewall that directs traffic to network 10.20.0/24 to ip address 192.168.10.100 would solve the problem.
Edit: Setting the same static route on DMZ hosts individually accomplishes the same in case this existing firewall does not allow setting of static routes.
-
Unless the purpose is only to access the DMZ servers from LAN, there isn't any other reason to have that DMZ network even connected to the router in your current configuration, since they cannot use it for anything else in that configuration. If they are supposed to be able to accept connections from over the internet through that router, they need it set as the default gateway.
Note: If you want to route inbound connections on that router to the DMZ servers, there is actually a workaround using outbound NAT rules, but it does have a side effect of the servers not being able to know where the traffic came from.
-
@Efonne:
Unless the purpose is only to access the DMZ servers from LAN, there isn't any other reason to have that DMZ network even connected to the router in your current configuration, since they cannot use it for anything else in that configuration. If they are supposed to be able to accept connections from over the internet through that router, they need it set as the default gateway.
Yup, the existing config is very simple but its only temporary. I'm just learning the ins and outs of pfSense here. Eventually I'll lock it down much more once I'm more confident and move toward actually using pfSense as the company firewall.
-
If you only want to allow connections to DMZ and don't need connections from DMZ, but if you also don't want to change anything on your production firewall yet, you could actually even add an outbound NAT rule to NAT all traffic that goes to the DMZ network. To do so, just create an outbound NAT rule on the DMZ interface from all to all (or from all to DMZ network if you have the subnet set to match already). Then you should be able to access all of the systems on the DMZ network, for access from LAN, port forwards, or 1:1 mappings.