Bog standard DMZ setup

firewalluser

Do you want to expose your DNS queries to an external source, namely 10.200.0.1, plus the DNS server may not know anything about your internal network setup?

Another way of looking at it, if something happened to your Ubuntu machine, logging its DNS queries could show up potential hacks to the machine.

When you say in your first post "I want Ubuntu to be the DMZ", what exactly do you mean?

If you want to expose some services to the net, as it will have a different IP address to the pfsense DMZ interface namely (192.168.2.1), would a port forward to the ubuntu machine namely 192.168.2.2 be more appropriate?

theaddies

@firewalluser asks what exactly do I mean by "I want Ubuntu to be the DMZ". Perhaps this is a good question to answer since perhaps I am going about things all wrong. I would like to establish an ownCloud files sharing system on the Ubuntu machine so all my family to share pictures amongst each other. Hence, with all my reading, I determined that the way to do this was to have the Ubuntu server on its own subnet being accessible from the internet.

KOM

It doesn't really have to be that way but it is more secure. You could have it on the existing subnet and just port-forward 80 and 443. I just went through this myself with my own domain and SSL cert. I now have an HTTPS owncloud running on a VPS. But I digress…

Have you tried nuking all your existing OPT1 rules and replacing them with an Allow All just to see what's going on? Then you could add a rule that prevents access from OPT1 to LAN. Get it working loosely and then tighten it up.

Derelict

And make your DNS pass rule TCP/UDP. DNS can use both.

theaddies

@KOM and @Derelict, great suggestions. I am working on that now with no luck. I can get the Ubuntu VM to work from LAN but it seems never from DMZ. I will keep working on it and hopefully have some more results tomorrow.

firewalluser

Might also be worth bearing in mind PF behaviour in freebsd has changed from earlier versions so its worth nuking the states after making changes to the rules, ie you work with the allow anything first principle, and as you add new rules to tighten things up, make sure existing states from old rules dont still exist.

KOM

I can get the Ubuntu VM to work from LAN but it seems never from DMZ.

Please post a screencap of your current DMZ rules. This shouldn't be hard. An Allow LAN to Any rule just like the one you have on LAN should do it.

theaddies

Thanks for all the suggestions. I agree that it shouldn't be that hard. For some reason it was turning into a real ordeal. I have finally, tonight, had some success. I can now access the internet from the Ubuntu VM. I am able to access 192.168.1.1 but cannot access the rest of the 192.168.1.x network, which I suppose is the intent. For some reason it wouldn't work unless I specified the Gateway to be the WAN. I have 2 gateway's as one is the VPN. The LAN is setup to have a default gateway and I think I have rule that forces everything out the VPN unless another rule is in place. I am not sure why this didn't also apply to the 192.168.2.x network. So, I tried to force it out on the VPN and the internet does not work then on the Ububtu VM.

So pardon the new question that I know will give me away as a total NOOB, but… If I want to set up ownCloud on the Ubuntu server, would it completely defeat the purpose of everything I have gone through to map a FreeNAS drive to the Ubuntu VPN to be used as cloud storage? Or is simply mapping a folder to be used for the cloud still maintaining a sound firewall setup. Thanks.

![firewall rule dmz.png](/public/imported_attachments/1/firewall rule dmz.png)
![firewall rule dmz.png_thumb](/public/imported_attachments/1/firewall rule dmz.png_thumb)

theaddies

I did a little more tinkering and I thought the 2 screenshots below would help to shed some light on what is going on. The outbound rules for 192.168.2.0 are required or the internet on the VM will not work. I don't know if the 1:1 rules is required. I suppose that is why I can access 192.168.1.1 from 192.168.2.1.

![firewall nat outbound.png](/public/imported_attachments/1/firewall nat outbound.png)
![firewall nat outbound.png_thumb](/public/imported_attachments/1/firewall nat outbound.png_thumb)
![firewall nat.png](/public/imported_attachments/1/firewall nat.png)
![firewall nat.png_thumb](/public/imported_attachments/1/firewall nat.png_thumb)

firewalluser

@theaddies:

I am able to access 192.168.1.1 but cannot access the rest of the 192.168.1.x network, which I suppose is the intent.

Usually unless you have changed it, 192.168.1.1 is going to be the lan gui address, if this is the case, do you really want to access the fw from your DMZ? This also ties in with your 1:1 port mapping screenshot.

On your dashboard what IP's are showing for your Interfaces? Obscure the WAN ip address.

theaddies

LAN up
manual
192.168.1.1
DMZ up
manual
192.168.2.1
PIAVPN up

I have deleted the 1:1 interface for 192.168.1.1 to 192.168.2.1 but I can still access 192.168.1.1 from the 192.168.2.x subnet. Why would that be?