Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get simple DMZ to work - Help!!

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 3 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      sdiversp
      last edited by

      Hello,
      Need some help in getting a simple DMZ to work, not sure where I am going wrong. First of all let me say I have read the documentation at: 1. http://doc.m0n0.ch/handbook-single/#id11642778 & 2. http://www.digitalphotomac.com/PFsense/DMZ/ and followed the instructions.

      Here is my Setup:

      Alix board with 3 interfaces:
      1. WAN: Single IP provided by ISP (71.197.xxx.xxx)
      2. LAN: DHCP enabled (192.168.2.1/27)
      3. OPT1>DMZ: Enabled [Type-Static, Bridge-none, IP addr- 192.168.5.1/24]

      Rules (in order):
      LAN:
      /LAN net////*   (default LAN to any)
      UDP/ATA///VoIP/*  (VoIP use in LAN)

      WAN:
      /RFC1918///// (block private ntwks)
      /Resrvd/////     (block bogon ntwks)
      TCP///192.168.5.1/80 (http)//  (http to web server)
      TCP/      //129.168.5.1/443 (https)//  (https to web server)

      DMZ:
      UDP/DMZ net//192.168.2.1/53(DNS)//   (Permit DMZ to primary DNS server)
      TCP///LAN net///     (Reject DMZ to LAN)
      /DMZ net// ! LAN net///    (Permit DMZ 2 any 'but' LAN)

      I understand to make this work I have to do in-bound NAT since it is a 1 public IP to 1 internal web server.

      Firewall>NAT>Port Forward:
      WAN/TCP/80(HTTP)/192.168.5.1 (ext: 71.197.xxx.xxx)/80 (HTTP)      (HTTP to web server)
      WAN/TCP/443(HTTPS)/192.168.5.1 (ext:71.197.xxx.xxx)/443(HTTPS)  (HTTPS to web server)

      So I have configured my interface, added rules for both WAN & DMZ and done port forwarding from WAN to DMZ.   From the documentation it seems this should work.

      Problem - when I connect the server to the DMZ port (OPT1) it does not get an IP address.   Do I have to enable DHCP on the DMZ interface?  That doesn't seem to be correct since the documentation is showing it should be a static mapping.  I am not sure what I am doing wrong here.   Both m0n0wall handbook and the examples suggest this should work.

      Any guidance is appreciated and thanks in advance.

      1 Reply Last reply Reply Quote 0
      • M Offline
        Metu69salemi
        last edited by

        if you have defined source port then remove it and try again

        1 Reply Last reply Reply Quote 0
        • S Offline
          sdiversp
          last edited by

          @Metu69salemi:

          if you have defined source port then remove it and try again

          I am sorry, did you mean remove the source port from the Port Forward (NAT) or from the DMZ rules set?  Thanks in advance for your help.

          1 Reply Last reply Reply Quote 0
          • M Offline
            Metu69salemi
            last edited by

            from the port forwarding rules

            1 Reply Last reply Reply Quote 0
            • S Offline
              sdiversp
              last edited by

              Hi, can anyone provide any guidance?  :-[  I am not sure why my DMZ won't give out addresses? Any pointers would help.  Thank you!!

              1 Reply Last reply Reply Quote 0
              • C Offline
                cmb
                last edited by

                You have to enable the DHCP server on that interface for it to assign IPs.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.