Routing between LAN and bridged DMZ

thevoice

Hi,

Another question, still searched for hours without any solutions. I have a dual WAN pfSense 2.0.1 with LAN and DMZ.

              +--- ISP1 Modem --- ISP1 Router ---- WAN  (WAN_ISP1) --+
              |                   (69.XX.XXX.97)                     |
Internet -----|                                                      |-- pfSense >
              |                                                      |
              +--- ISP2 Modem --- ISP2 Router ---- OPT1 (WAN_ISP2) --+
                                  (66.XXX.XXX.56)

              +--- LAN  (LAN)  ---- Switch --- Multiple computers behind NAT, DHCP
              |    (192.168.0.1)
              |
> pfSense +
              | 
              |
              +--- OPT2 (DMZ)  ---- Switch -+- Server 1 (69.XX.XXX.98, 66.XXX.XXX.57, 66.XXX.XXX.58,...)
                                            |
                                            +- Server 2 (69.XX.XXX.99,...)

Note : WAN_ISP2 and DMZ are bridged, for the moment I don't need IPs from ISP1 so I'll bridge the other WAN later!

Now everything works except I can't figure out how to access for example http://66.XXX.XXX.58 from LAN. For sure I can't use NAT reflexion as before, looks like I have to add some kind of routing rule.

Anyone can give me a part of solution?

Thank you!
Alexandre.

GruensFroeschli

What IP's are configured on the interfaces WAN_ISP2 and DMZ ? What IP is configured on the bridge itself?

I would assign the bridge as interface, set WAN_ISP2 and DMZ to 'none' and configure the public IP 66.XXX.XXX.57 on the bridge itself.
Now it should be a simple routed setup.

thevoice

Hi,

Here is a screenshot :

Note ISP1 is VIDEOTRON and ISP2 is B2B2C, they are both STATIC. The BRIDGE0 has no interface assigned. If I understand you I need to :

• Remove WAN_B2B2C
• Link BRIDGE0 to em1
• Assign static IP to em1 (BRIDGE0)

And that's all?!

GruensFroeschli

Not remove, but configure the IP to 'none'

thevoice

I've done these changes :

• WAN_B2B2C Type : none
• DMZ Type was already none
• Added interface OPT3 with Network port BRIDGE0
• Moved the gateway from WAN_B2B2C to OPT3
• Configured static 66.XX.XX.58/29 to OPT3 with the previous gateway (66.XX.XX.57)
• Created a temporary rule in OPT3 allow all

Now the HTTP server can't be reach from Internet as it was just before (of course I got a backup before just in case!)

Something is wrong or am I missing something?

Thank you.


GruensFroeschli

Are there rules on WAN_B2B2C to allow access to the DMZ? (maybe start with an allow any-any rule to debug)
Do the servers behind the bridge actually have the upstream router (66.XXX.XXX.56) as default gateway?

thevoice

Hi,

I'll setup a virtual pfSense with virtual computers since it is difficult to test on a production router! I'll be back in couple of days with a setup for tests!

Thank you,

Alexandre.

thevoice

Hi,

Based on this http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F I've used a different approch I manually added these configs :

route add -host 66.XX.XX.60 netmask 255.255.255.255 fxp0
route add -host 66.XX.XX.61 netmask 255.255.255.255 fxp0
route add -host 66.XX.XX.62 netmask 255.255.255.255 fxp0

In my case fxp0 is the DMZ interface of course. Just bad I've not found a "clean" solution. I've used this method because I want to keep the firewall filtering between internet and the DMZ while using public IP locally!

Thank you!

m4rv1n

Hello,
i try to set route but not have success.

route add -host x.x.x.x netmask 255.255.255.255 em2 (my DMZ interface).
The DMZ (noip) iface is bridged with external iface (noip).

The pfsense answer is:
route: writing to routing socket: Network is unreachable
add net x.x.x.x : gateway netmask: Network is unreachable

Can you help me?
Thank you