LAN to DMZ

lmartinez073

Hi

I need your help, I have my PFSense working but I need access from the LAN to the DMZ, my configuration is this

WAN
LAN
DMZ

I tried creating a rule in DMZ to allow traffic from LAN to DMS but it's not working, any ideas?

doktornotor

Wrong interface. Rules to allow traffic coming from LAN go to LAN tab. Not DMZ.

lmartinez073

Hi

Thank you for your answer, I al tried with a rule in the Lan to allow traffic to DMZ but it's not working.

Any idea?

doktornotor

No, not without posting a screenshot of the rules and a description of what's "not working".

lmartinez073

Hi

Thank you for your help. I am adding the screen shot from LAN

![Screen Shot 2015-06-03 at 12.33.28 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-06-03 at 12.33.28 PM.png_thumb)
![Screen Shot 2015-06-03 at 12.33.28 PM.png](/public/imported_attachments/1/Screen Shot 2015-06-03 at 12.33.28 PM.png)

doktornotor

You know, there is this default allow rule on your LAN when you install pfSense. With that, everything just works. Incl. access to any other internal interface. Because it allows any LAN traffic to go anywhere. So, you need to post the screenshot of the whole ruleset your created. Not this single rule. Like - Firewall - Rules - LAN tab.

You also did not describe what's exactly "not working".

lmartinez073

Sorry about that.

![Screen Shot 2015-06-03 at 12.42.17 PM.png](/public/imported_attachments/1/Screen Shot 2015-06-03 at 12.42.17 PM.png)
![Screen Shot 2015-06-03 at 12.42.17 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-06-03 at 12.42.17 PM.png_thumb)

doktornotor

That second added rule is completely pointless, since the traffic is already matched by the first rule. You shouldn't need to force any GW unless you are on multi-WAN doing some fancy stuff (which is not what's described in the OP). Also no idea what's the advanced stuff set in the "default" rule.

And you still did not describe what's not working, despite I've alfready asked 2 times!!!

lmartinez073

The problem is that I can't ssh to any computer in the DMZ from the LAN

Should I remove the last 2 rules?

doktornotor

Last two? Hell no! I said the second rule is useless, why would you remove the first one?!?

Now

why are you setting the GW in the "default" rule
what's are those advanced settings there?
and WTH do I need to ask everything 3 times to get an answer? >:(

KOM

Go and change your LAN rule back to what it was in the beginning before you changed it. Your SSH session to DMZ should just work without magic.

LANRule.png_thumb

lmartinez073

Thank you KOM, that worked

I appreciate your help.

Trel

@doktornotor:

That second added rule is completely pointless, since the traffic is already matched by the first rule. You shouldn't need to force any GW unless you are on multi-WAN doing some fancy stuff (which is not what's described in the OP). Also no idea what's the advanced stuff set in the "default" rule.

And you still did not describe what's not working, despite I've alfready asked 2 times!!!

Just FYI, I don't think that rule was pointless. I think it was breaking it. It matched everything, if if GW_WAN is what I think it is, it was routing the gateway to the WAN's GW so it couldn't make it over to the DMZ segment. (Provided that's what GW_WAN was)

doktornotor

I can see that counting up to two is rather difficult…

Trel

1. Anti-Lockout
2. Gateway routing
3. Probably never gets hit at #2 matches all traffic

What am I missing?

Derelict

OP screwed up adding the gateway to the default rule when none was necessary creating the need to bypass policy routing for traffic from LAN to DMZ.

https://doc.pfsense.org/index.php/Bypassing_Policy_Routing

Trel

That's what I was saying, the third rule never got hit. He matched all traffic on the second and put it to gateway.