Failure of connected to the internet from the DMZ
-
And again - what does your forward look like, and your wan rules in pfsense - when you created the forward it should of auto created the wan rule.
And since your wan is private - did you turn off block private networks which is on by default.
Also problem users have quite often with forwarding traffic is the local firewall on the host they are forwarding too, etc.
Please post your nat, your wan rules and ipconfig or ifconfig/network settings from the box your forwarding to.
-
ok see my attachements
-
Ok your nat and wan look ok - what IP are you trying to access.. You do understand you have to access pfsense wan IP, not the IP of your vult or web server.
Also what is in your aliases – There is no reason to have a 8.8.4.4 rule if allow it to go to the internet because you NOT your local networks.. Please post what is in your aliases.
And what are your rules in dmzweb? Just to have a full listing.
-
i use 8.8.4.4 just to access to the net
yes i try 192.168.1.3 ( wan ip ) because i know that with Nat it will take me to the dmz vulture
-
well in your aliases those are not networks.. A network would be 192.168.1.0/24 when you use the one it would be how you describe a host address. If you wanted to clearly say its a IP then /32 would be the mask. Networks are always the wire address of the network with a /24 the last octet would be 0 always.
My point of asking 8.8.8.4 is why do you have that rule - its pointless..
Does 8.8.8.4 fall into any of your NOT rule there? NO so it would be allowed, and that rule below your ! rule is pointless and would never be seen.
Also your Proxy is listening on 80? Seems odd – so your hitting from a box on your 192.168.1.0/24 network lets say .100 and he opens his browser and goes to http://192.168.1.3, and that gets forwarded to your proxy (vulture) that says hey I want to go to http://192.168.1.3 -- why would he send that over to your web server on 192.168.206.2 ??
I would have to read up on this vulture software - but for something like this to work, you would have to have your client on your 192.168.1.0/24 network resolve http://www.domain.tld to 192.168.1.3, then your proxy should resolve www.domaint.tld to 192.168.206.2.. (your web server)
-
so in the alias ! i should make them x.x.x.0 ? to be network ??
if i didn't put 8.8.4.4 in all interfaces dmz so i can't access to the net :( that's why i added it and to be able to surfer in net .
about the reverse proxy : he can had many interfaces that every on connect to an application.
interface 192.168.205.2 –---> application 192.168.206.2yes my client had 192.168.1.50
now i would like that 192.168.1.0/24 network resolve http://www.domain.tld to 192.168.1.3, then your proxy should resolve www.domaint.tld to 192.168.206.2 !
how can oi make it ? and what rule i shoud added ??
thanks -
There is no rule to add for resolving - what does your clients on 192.168.1.0 use for dns? This needs to resolve www.domain.tld to your 192.168.1.3 - and if your devices on your vulture network use pfsense then you need to create a host override in dns forwarder. Or you could use host files.
your rule that says !youralias networks allow them to go to anywhere else BUT there, so that rule allows them to go to 8.8.4.4
Yes you should make them x.x.x.0/24 to be a network.
yes the reverse proxy needs to be able to resolve the web servers iP for any domains you will be hosting.
-
thank you for all your help :)
i use 192.168.1.1 ( DNS for my my client )
f i configure host file ( in debian nano /etc/hosts ) i will add the host of wan 192.168.1.3 or of my application '192.168.206.2 or that vulture ? -
Dude what part is hard to understand about what needs to resolve what for www.domain.tld ?? If your outside pfsense where do you need to go?? Pfsense WAN!!! to get forwarded to vulture (your proxy).. Where does vulture need to go to get your website (your web server)..
Dude to be honest I am growing very tired of this thread. This is basic stuff, you are trying to setup a system that is way over complicated for your skill set.. WAY over!!!
You don't seem to understand basic networking, nor name resolution or basic firewalling principles yet your trying to setup a system with hairpinning and multiple zones, etc. etc.. To be honest your setup should look like this Webserver, DB server on the same box with 1 port forward. Your not setting up system for the DOD for gosh sake.
-
hello ,
i would like to modify my architecture because the firewall of database Greensql it'is not free now :(
so in the dmzgreensql i will change it by dmzFW . In fact in will have in my archirecture 2 différent firewall (A security issue so there must be two different firewall in series ) and this second firewall is had 2 interfaces ( interface wan which is related to dmzFW , and interface lan for the dmz bd ) tt
the second firewall it is EndianFirewall .
now i can't log on net with the interface lan of the second firewall . I think that maybe it is error of configuration of the interface dmzFW , but i make rule any ..>any !!
thank's to answer me again
