Need help getting basic rules working

Jakobud

@bjh4:

what about the including reverse rule allowing the source DMZ to talk to the destination LAN.

Ya, still not working.  Okay I changed it up a bit.  This is exactly what I have now:

LAN:

Proto  	Source  	  				Port  	  		Destination  	  	  		Port  	  		Gateway  	Schedule  	Description  	
TCP  		LAN address 				22 (SSH)  	  	Interface IP address 	22 (SSH) 	  	* 	  	  	  	  	  	LAN -> DMZ SSH

DMZ:

Proto  	Source  	  				Port  	  		Destination  	  	  		Port  	  		Gateway  	Schedule  	Description  	
TCP  		Interface IP address 	22 (SSH)  	  	LAN address 				22 (SSH) 	  	* 	  	  	  	  	  	DMZ -> LAN SSH

Seems pretty straightforward…. Why isn't it working?  These are my only rules....

GruensFroeschli

Rules only have an effect on the interface on which a connection is started.
So all rules on the DMZ interface do absolutely nothing for connections comming
from the LAN.
Your error is: you've set in the rule as source "LAN-address"
this means exactly that: the address of the pfsense on the LAN.
I dont think you create the ssh connection from
the pfsense itself, so you should change that to LAN-subnet.
The source-port is always a random number > 1024 and < 65536.
You've fixed it to 22 which will never happen.
The destination is interface address again. This has to be the address of the server
itself.

kpa

You should start with allowing everything to everything on LAN and the same on DMZ, tighten the rules later when you get hang of the system.

Interface address and LAN address mean just what they say, the single ip address assigned to the interface, not the whole subnet connected to the interface. What you want instead is LAN subnet and DMZ subnet if you want to limit by destination in a firewall rule.

Jakobud

Ah okay that makes sense.  I'll change it up now and get back to you guys.  Thanks for the help.  I assumed "LAN Address" mean't "Coming from a LAN Address" :-P

Jakobud

Bah, still not working.  This is what I have:

LAN:

Proto  	Source		Port		Destination	Port		Gateway		Schedule		Description  	
*  			LAN net 	* 	  		* 				* 	  		* 	  	  	  	 		 	  	LAN > Anywhere

DMZ:

Proto  	Source		Port		Destination	Port		Gateway		Schedule		Description  	
*  			DMZ net 	*  	  		* 				* 	  		* 	  	  	  	  	  			DMZ > Anywhere

lol I'm not sure how it could be more wide open.  Still not able to SSH to that server in the DMZ.  Does that server need to have its default gatway set to the pfSense firewall?

Another note, I can't even connect to the internet through my machine.  Also, I can't ping anything in the DMZ.

kpa

Post screenshots of status->interfaces and diagnostic->routes (just the ipv4 part of routes is enough). Blank out any public ip addresses in your screenshots if you don't want to reveal them.

Jakobud

Okay I got the internet working.  My subnet mask bit for WAN and DMZ was not set to /24 by default.  After changing that, I could access the internet.  Still no dice on SSHing to the DMZ servers.

• I'm able to SSH to 192.168.10.100 (the address of the pfSense DMZ interface), but not other servers in 192.168.10.X

• I'm able to get DNS resolves from our DMZ server which is located in the DMZ

• Can't ssh to DMZ servers from my computer in the LAN

• Can't ping DMZ servers from my computer in the LAN

• I CAN successfully ping DMZ servers from my pfSense machine (via web interface or command-line)

Screenshots otw…

Jakobud

Now these routes…. I didn't actually set these up anywhere.  Are they automatically generated or something?

10.20.0.140 is the computer I'm testing from.  It's gateway is set to 10.20.0.100, the pfSense LAN interface
10.20.0.141 is the computer I'm currently typing on.  It's gateway is our old/existing firewall
10.1.10.1 is the Comcast Business Cable Modem

192.168.10.11 I think is our mail server.
192.168.10.18 and 192.168.10.20 are our DNS servers.  These are the machines I've been trying to SSH to from 10.20.0.140.

Clear as mud?  Thanks for the help by the way.  Once I get the hang of pfSense I don't think it will be a problem.  Just trying to get past these initial hurdles...

kpa

Change the computer you're using to ping the DMZ hosts to use pfSense as it's default gateway and it should start working.

Jakobud

The pfSense LAN interface is 10.20.0.100.  My computer in the LAN already has 10.20.0.100 as its one and only gateway.  I'm sorry am I misunderstanding something?

kpa

Ah sorry, getting tired…

Are the hosts on DMZ using the DMZ interface address as their default gateway?

Try a traceroute or mtr from a LAN host to one of the DMZ hosts.

Jakobud

Ah, no the DMZ servers do NOT have their gateway set to the pfSense box.  I guess I figured since I could SSH from pfSense directly to a DMZ server, that it didn't matter if I was trying to do the same thing from a computer on the LAN.

So, hopefully that is the problem, but I don't really have a good way to test it at the moment.  This is a network for a small business and currently the DMZ servers have their gateway set to the existing firewall.  I can't just switch it without causing some mayhem with the business traffic.  Is there anyway I can add a secondary gateway or something like that on the servers so I can continue my testing?

Trying to replace a firewall for a business is like trying to change the tires on a moving car :-)

kpa

Yeah that explains it, the existing firewall does not know what to do with the return traffic destined to pfSense LAN and discards it. A static route on this firewall that directs traffic to network 10.20.0/24 to ip address 192.168.10.100 would solve the problem.

Edit: Setting the same static route on DMZ hosts individually accomplishes the same in case this existing firewall does not allow setting of static routes.

Efonnes

Unless the purpose is only to access the DMZ servers from LAN, there isn't any other reason to have that DMZ network even connected to the router in your current configuration, since they cannot use it for anything else in that configuration.  If they are supposed to be able to accept connections from over the internet through that router, they need it set as the default gateway.

Note: If you want to route inbound connections on that router to the DMZ servers, there is actually a workaround using outbound NAT rules, but it does have a side effect of the servers not being able to know where the traffic came from.

Jakobud

@Efonne:

Unless the purpose is only to access the DMZ servers from LAN, there isn't any other reason to have that DMZ network even connected to the router in your current configuration, since they cannot use it for anything else in that configuration.  If they are supposed to be able to accept connections from over the internet through that router, they need it set as the default gateway.

Yup, the existing config is very simple but its only temporary.  I'm just learning the ins and outs of pfSense here.  Eventually I'll lock it down much more once I'm more confident and move toward actually using pfSense as the company firewall.

Efonnes

If you only want to allow connections to DMZ and don't need connections from DMZ, but if you also don't want to change anything on your production firewall yet, you could actually even add an outbound NAT rule to NAT all traffic that goes to the DMZ network.  To do so, just create an outbound NAT rule on the DMZ interface from all to all (or from all to DMZ network if you have the subnet set to match already).  Then you should be able to access all of the systems on the DMZ network, for access from LAN, port forwards, or 1:1 mappings.