LAN <-> WLAN communication fail
-
Apologies for the lack of specification. No name resolution. No internet access on the servers on the "ServerDMZ" or the .64/26 subnet.
-
Those are possibly 2 unrelated things.
First of all, are you NATing from the LAN to the DMZ and vice-versa?
Secondly, from the pfSense host can you ping (by IP) the DNS server? If so can you ping it (by IP) from the LAN?
-
No, there is no NAT between LAN and DMZ or vice-versa. The only NAT is that of WAN to LAN.
I am unsure what you mean when you ask if I can ping the DNS server. Are you talking about my ISP's DNS servers? There is no DNS server on this network.
I also failed to specify that the gateway IP addresses of my interfaces are 192.168.0.1/26 LAN & 192.168.0.65/26. Unsure if that is relevant.
Anything else I can provide that might assist in the troubleshooting? -
So, what have you configured as the DNS server for each network? It looks like you think it should be 192.168.0.1 - is that your pfSense box? Have you configured it to function as a DNS server/relay?
-
On the hosts for each network, the DNS server is the same as their gateway.
On the LAN this is 192.168.0.1 or the LAN interface's IP address.
On the "DMZ" this is 192.168.0.65 or OPT1 interface's IP address."Have you configured it to function as a DNS server/relay?"
How do I do this? If you mean DNS forwarder, then yes. If you mean packages, then no. Is that where I should be looking to?I have tried multiple firewall rules, and variations of the following. This is the way I have things currently:
LAN:
UDP LAN net * 192.168.0.1 53 (DNS) *DMZ:
UDP ServerDMZ net * 192.168.0.65 53 (DNS) * -
Let's start with the simple. On the LAN and DMZ remove all the rules except one that allows all traffic from that network.
Then check that all clients have /26 as their netmask and try simple things like:
nslookup www.google.com 192.168.0.1
Let us know whether that works from only the LAN or from both networks.
-
This is what I have now:
WORKING
Correct me if I am wrong but what these rules basically state is allow all traffic to pass from ServerDMZ and LAN and vice versa."
It should be noted that I re-installed the OS on the server sitting on the DMZ last night.
Thank you for your time and patience Havok, it is truly appreciated.
-
What those say is effectively:
-
Allow all traffic out of the LAN
-
Allow all traffic out of the DMZ
The first rule in each screenshot will never work since rules apply inbound on an interface.
On a host on the LAN, what does ipconfig (Windows, use ifconfig for Linux) show for the IPv4 Address and Subnet Mask? What about on the DMZ?
-
-
Well it is strange because it is working now. ???
What would you suggest I put in for rules?LAN
DMZ
-
I'd suggest you create a rule on the LAN interface allowing the DMZ subnet as a destination. Then you have to decide what on the LAN the DMZ is allowed to access (if it is any host then I'd question why you have a DMZ) - that's entirely your call.
You also need to work out what the underlying problem is/has been. Problems mysteriously coming and going make life difficult.
-
This was originally a kind of "crawl before you walk" sort of thing. Trying to get used to the way pfsense does firewall rules. I was simply trying to allow local connectivity between the LAN and "DMZ" (as you pointed out, it really isn't a DMZ). This is the only thing that has kept me from using pfsense in anything but my home network.
Messing around in the DMZ interface trying to get certain things to pass I thought maybe I am going about this all wrong. All this time I have been relying on the LAN for connecting the DMZ to the Internet. Should I simply be NATing the DMZ interface and then allowing selective traffic back and forth from the DMZ and LAN? I know from a security standpoint this is how a real DMZ works, but I have little to no experience setting this up.
-
pfSense rules apply to traffic arriving on an interface.
For the simplest start, create rules on the LAN and DMZ allowing access everywhere (see the Default rule for the LAN interface in your second post). If at that point you still have problems communicating between the LAN and the DMZ it is probably because of the computer's you're using. Start by giving each their own /24 (say put the DMZ on 172.30.11.0/24 and give the LAN 192.168.0.0/24).
