Need help getting basic rules working
-
Post screenshots of status->interfaces and diagnostic->routes (just the ipv4 part of routes is enough). Blank out any public ip addresses in your screenshots if you don't want to reveal them.
-
Okay I got the internet working. My subnet mask bit for WAN and DMZ was not set to /24 by default. After changing that, I could access the internet. Still no dice on SSHing to the DMZ servers.
-
I'm able to SSH to 192.168.10.100 (the address of the pfSense DMZ interface), but not other servers in 192.168.10.X
-
I'm able to get DNS resolves from our DMZ server which is located in the DMZ
-
Can't ssh to DMZ servers from my computer in the LAN
-
Can't ping DMZ servers from my computer in the LAN
-
I CAN successfully ping DMZ servers from my pfSense machine (via web interface or command-line)
Screenshots otw…
-
-
Now these routes…. I didn't actually set these up anywhere. Are they automatically generated or something?
10.20.0.140 is the computer I'm testing from. It's gateway is set to 10.20.0.100, the pfSense LAN interface
10.20.0.141 is the computer I'm currently typing on. It's gateway is our old/existing firewall
10.1.10.1 is the Comcast Business Cable Modem192.168.10.11 I think is our mail server.
192.168.10.18 and 192.168.10.20 are our DNS servers. These are the machines I've been trying to SSH to from 10.20.0.140.Clear as mud? Thanks for the help by the way. Once I get the hang of pfSense I don't think it will be a problem. Just trying to get past these initial hurdles...
-
Change the computer you're using to ping the DMZ hosts to use pfSense as it's default gateway and it should start working.
-
The pfSense LAN interface is 10.20.0.100. My computer in the LAN already has 10.20.0.100 as its one and only gateway. I'm sorry am I misunderstanding something?
-
Ah sorry, getting tired…
Are the hosts on DMZ using the DMZ interface address as their default gateway?
Try a traceroute or mtr from a LAN host to one of the DMZ hosts.
-
Ah, no the DMZ servers do NOT have their gateway set to the pfSense box. I guess I figured since I could SSH from pfSense directly to a DMZ server, that it didn't matter if I was trying to do the same thing from a computer on the LAN.
So, hopefully that is the problem, but I don't really have a good way to test it at the moment. This is a network for a small business and currently the DMZ servers have their gateway set to the existing firewall. I can't just switch it without causing some mayhem with the business traffic. Is there anyway I can add a secondary gateway or something like that on the servers so I can continue my testing?
Trying to replace a firewall for a business is like trying to change the tires on a moving car :-)
-
Yeah that explains it, the existing firewall does not know what to do with the return traffic destined to pfSense LAN and discards it. A static route on this firewall that directs traffic to network 10.20.0/24 to ip address 192.168.10.100 would solve the problem.
Edit: Setting the same static route on DMZ hosts individually accomplishes the same in case this existing firewall does not allow setting of static routes.
-
Unless the purpose is only to access the DMZ servers from LAN, there isn't any other reason to have that DMZ network even connected to the router in your current configuration, since they cannot use it for anything else in that configuration. If they are supposed to be able to accept connections from over the internet through that router, they need it set as the default gateway.
Note: If you want to route inbound connections on that router to the DMZ servers, there is actually a workaround using outbound NAT rules, but it does have a side effect of the servers not being able to know where the traffic came from.
-
@Efonne:
Unless the purpose is only to access the DMZ servers from LAN, there isn't any other reason to have that DMZ network even connected to the router in your current configuration, since they cannot use it for anything else in that configuration. If they are supposed to be able to accept connections from over the internet through that router, they need it set as the default gateway.
Yup, the existing config is very simple but its only temporary. I'm just learning the ins and outs of pfSense here. Eventually I'll lock it down much more once I'm more confident and move toward actually using pfSense as the company firewall.
-
If you only want to allow connections to DMZ and don't need connections from DMZ, but if you also don't want to change anything on your production firewall yet, you could actually even add an outbound NAT rule to NAT all traffic that goes to the DMZ network. To do so, just create an outbound NAT rule on the DMZ interface from all to all (or from all to DMZ network if you have the subnet set to match already). Then you should be able to access all of the systems on the DMZ network, for access from LAN, port forwards, or 1:1 mappings.