Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to reach some LAN hosts (SuSE) from DMZ

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      thekidzkid
      last edited by

      All-

      pfSense 2.0-RC1

      My issue is two-fold.

      Issue 1:
      I am intermittently unable to FTP to 2 out of 3 openSuSE 11.4 hosts on the LAN from a Win2k3 server on the DMZ. The FTP connection generally does not work, but on occasion, a connection can be established. At times, when I am unable to connect from the DMZ, I am still able to FTP from the pfSense SSh interface, yet that is not even guaranteed. All the while, I am able to FTP from any host on the LAN to the openSuSE servers. Does pfSense just not like openSuse? Each of the  openSuSE servers is equipped with 2 Broadcom gigabit NICs (External IF and Internal IF) running on a gigabit network. It does not seem to make a difference if I assign one or the other as the NAT address.

      Firewall Rules:
      Protocol | Source Network | Source Port(s) | Destination Network | Destination Port(s)

      Deny
      DMZ:
      None

      LAN:
      None

      Allow
      DMZ:
      TCP/UDP FROM DMZ Net * TO LAN Net 20,21,30000:30100
      TCP/UDP FROM DMZ Net * TO LAN Net 3389

      LAN:

      • FROM LAN Net * TO * *

      NAT
      Protocol | Source IP | Source Port(s) | Destination Virtual IP | Destination Port(s) | NAT IP | NAT Port(s)

      TCP/UDP FROM * * TO SuSE0_VIP 20,21,80,5800:5810,5900:5910,30000:30100 USING SuSE0 20,21,80,5800:5810,5900:5910,30000:30100
      TCP/UDP FROM * * TO SuSE1_VIP 20,21,80,5800:5810,5900:5910,30000:30100 USING SuSE1 20,21,80,5800:5810,5900:5910,30000:30100
      TCP/UDP FROM * * TO SuSE2_VIP 20,21,80,5800:5810,5900:5910,30000:30100 USING SuSE2 20,21,80,5800:5810,5900:5910,30000:30100

      It seems as though, when I make changes to the network settings on the openSuSE servers, I am, sometimes, then briefly able to connect to the servers from the DMZ (ARP Broadcast refreshed?). But, in time, the situation reverts back to a failure to connect from the DMZ.

      Issue 2:

      I am randomly unable to connect to the openSuSE servers from the WAN. A Slackware server, along with several Windows servers, are always available. The openSuSE servers are rarely available externally, with the exception of SuSE1, which usually seems to be available. Also, when you are able to connect to the servers from an external host, the connection gets dropped after a random amount of time, regardless of whether or not the connection was active. Again, the Windows servers are always available, and do not randomly disconnect. The gigabit switch that connects the servers to the rest of the network has been replaced, to no avail. pfSense has also been reinstalled from a clean copy downloaded after the release of 2.0-RC1.

      Please let me know if there is any other information that I could provide, which would assist in troubleshooting these conditions.

      –Thanks
      Joe

      –Thanks
      Joe

      1 Reply Last reply Reply Quote 0
      • C Offline
        cmb
        last edited by

        Sounds like you have them dual homed, probably with the default route pointing somewhere other than the firewall, which is going to cause routing complications for that host (it'll reply out the wrong way). Static route to the internal network or policy routing on that host will work around that.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.