DMZ setup issues
-
I would greatly appreciate any help to get my DMZ back configured correctly. I had everything working until a lightening strike blew up my firewall an I had to rebuild.
I am running 2.2.4 on my Alix with 3 ports. 1 WAN, 1 LAN and 1 DMZ. All three interfaces are up an configured.
When I plug into the DMZ subnet, I get a IP from the DHCP server configured for the DMZ, however I don't get any internet.
I believe it is a rule I'm missing but I am totally stumped at this point. I get internet on my LAN interface
Thanks
Randy
-
To get internet duplicate the automatic rule on LAN on the DMZ interface.
But it being a DMZ probably requires extra rules to implement your DMZ policies. The bare basic rules would probably be something like:
Action: Pass
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: DMZ net
Destination: This Firewall (self)
Destination port range: 53
Log: Unchecked
Description: Pass DNS to pfSenseAction: Reject
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: any
Source: DMZ net
Destination: LAN net
Log: Unchecked
Description: Block DMZ to LANAction: Reject
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: any
Source: DMZ net
Destination: This Firewall (self)
Log: Unchecked
Description: Block DMZ to pfSenseAction: Pass
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: any
Source: DMZ net
Destination: any
Log: Unchecked
Description: Pass DMZ to Internet -
Thanks Derelict,
I added those rules exactly as written except the DNS one, I changed to TCP/UDP. Still no internet on the DMZ interface.
Randy
-
I added those rules exactly as written except the DNS one, I changed to TCP/UDP. Still no internet on the DMZ interface.
I had TCP/UDP 53 so I'm not sure what you're saying.
How is your outbound NAT configured?
And what do you mean by "no internet?" What isn't working? DNS? What?
You might want to add one like this next to the DNS rule so you can ping the pfSense interfaces from DMZ:
Action: Pass
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: ICMP
ICMP type: any
Source: DMZ net
Destination: This Firewall (self)
Log: Unchecked
Description: Pass ICMP to pfSense -
My bad. I mispoke about the DNS rule. My outbound NAT is empty. I have DNS configured pointing to Google DNS 8.8.8.8. Internet still doesn't load.
Thanks
Randy
-
"Internet still doesn't load" doesn't tell me anything.
Are you on Automatic Outbound NAT?
Is the DMZ network listed?
Can you ping the pfSense interface (if you added the rule I suggested)?
Can you ping 8.8.8.8?
Can you resolve names?
-
"Internet still doesn't load' I was just saying no pages load ex: Google
Are you on Automatic Outbound NAT? Yes
Is the DMZ network listed?No, I don't recall seeing it
I didn't try to ping 8.8.8.8 but Iwas unable to ping the DMZ gateway
Can you resolve names? That I didn't try.
I am at work but I will be back to it Tonight.
Thanks
Randy
-
"Internet still doesn't load' I was just saying no pages load ex: Google
Are you on Automatic Outbound NAT? Yes
Is the DMZ network listed?No, I don't recall seeing it
It needs to be there.
I didn't try to ping 8.8.8.8 but Iwas unable to ping the DMZ gateway
Did you add that ICMP rule I suggested?
-
I added the Outboud NAT but internet still not loading on the DMZ side. I also added an attachment
Thanks
-
You can't add an outbound NAT in Automatic mode so I have no idea what you're actually doing.
-
Me neither. How do I do it correctly.
Thanks
-
Screenshots:
Status > Interfaces for LAN and DMZ
Firewall > Rules for LAN and DMZ
Firewall > NAT Outbound Tab (Just humor me and do it again. Thanks.)
-
Sure. No problem. I changed to Manual and all these NAt appeared.
-
Sure. No problem. I changed to Manual and all these NAt appeared.
Ok. Just leave it alone and stop clicking things.
-
ok. Leaving it alone. Do you still want the screenprints?
-
Of course.
-
Screen prints
-
More prints
-
Last print
-
Your DMZ rules are all out-of-whack but nothing that should stop it from working out to the internet.
Pick a host on DMZ. Can it ping 192.168.2.1?
If so, can it ping 8.8.8.8?
What is the IP address, netmask, and default gateway of that host?