Can't reach dmz/opt from lan

JackC · Mar 30, 2013, 4:17 AM

Hi,

I recently set up pfsense on an alix box as a second firewall behind my dsl router in order to
put my potentially insecure test pc into it's own network. Eventually I want to set port forwarding,
so I can access some shares/services on that test pc, but right now I'm stuck, being unable
to even ping that pc from any machine behind the lan interface.

interfaces: wan static (192.168.0.2) -> gw 192.168.0.1 (the dsl router)
lan static (192.168.1.1), no gw
dmz static (192.168.2.1), no gw

Automatic NAT outbound.

For testing purposes I set the firewall rules wide open, using a lan-to-any rules both for the
lan and dmz/opt interface:
action: pass, interface: lan, source: any, destination: any (for lan)
action: pass, interface: dmz, source any, destination: any (for dmz)

Now with that setting, I CAN ping from a machine on the dmz interface (e.g. 192.168.2.2) to
any on the lan, but not the other way round for some reason I don't understand.

Any hints would be apprecited. Thanks a lot in advance.

Jack

tim.mcmanus · Apr 3, 2013, 4:48 PM

What do the firewall logs show? Did you turn on logging for both rules to generate additional logs?

Your settings seem to be okay. Are all three of these interfaces physical interfaces (WAN, LAN, DMZ) or are you using a vLAN to share one port?

JackC · Apr 5, 2013, 1:50 PM

Yes,it's 3 physical interfaces. As for the logs, I'm afraid they got lost when I misconfigured the whole thing when
trying a different approach in bridging together LAN and DMZ to have a more transparent firewall setting between the two.
At some point I managed to completely lock myself out in doing so. Going back to defaults via serial console dind't
help either, so I guess I'll flash that CF card again, and try once more, adding extra logging as you suggested.