DMZ setup issues
-
I would greatly appreciate any help to get my DMZ back configured correctly. I had everything working until a lightening strike blew up my firewall an I had to rebuild.
I am running 2.2.4 on my Alix with 3 ports. 1 WAN, 1 LAN and 1 DMZ. All three interfaces are up an configured.
When I plug into the DMZ subnet, I get a IP from the DHCP server configured for the DMZ, however I don't get any internet.
I believe it is a rule I'm missing but I am totally stumped at this point. I get internet on my LAN interface
Thanks
Randy
-
To get internet duplicate the automatic rule on LAN on the DMZ interface.
But it being a DMZ probably requires extra rules to implement your DMZ policies. The bare basic rules would probably be something like:
Action: Pass
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: DMZ net
Destination: This Firewall (self)
Destination port range: 53
Log: Unchecked
Description: Pass DNS to pfSenseAction: Reject
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: any
Source: DMZ net
Destination: LAN net
Log: Unchecked
Description: Block DMZ to LANAction: Reject
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: any
Source: DMZ net
Destination: This Firewall (self)
Log: Unchecked
Description: Block DMZ to pfSenseAction: Pass
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: any
Source: DMZ net
Destination: any
Log: Unchecked
Description: Pass DMZ to Internet -
Thanks Derelict,
I added those rules exactly as written except the DNS one, I changed to TCP/UDP. Still no internet on the DMZ interface.
Randy
-
I added those rules exactly as written except the DNS one, I changed to TCP/UDP. Still no internet on the DMZ interface.
I had TCP/UDP 53 so I'm not sure what you're saying.
How is your outbound NAT configured?
And what do you mean by "no internet?" What isn't working? DNS? What?
You might want to add one like this next to the DNS rule so you can ping the pfSense interfaces from DMZ:
Action: Pass
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: ICMP
ICMP type: any
Source: DMZ net
Destination: This Firewall (self)
Log: Unchecked
Description: Pass ICMP to pfSense -
My bad. I mispoke about the DNS rule. My outbound NAT is empty. I have DNS configured pointing to Google DNS 8.8.8.8. Internet still doesn't load.
Thanks
Randy
-
"Internet still doesn't load" doesn't tell me anything.
Are you on Automatic Outbound NAT?
Is the DMZ network listed?
Can you ping the pfSense interface (if you added the rule I suggested)?
Can you ping 8.8.8.8?
Can you resolve names?
-
"Internet still doesn't load' I was just saying no pages load ex: Google
Are you on Automatic Outbound NAT? Yes
Is the DMZ network listed?No, I don't recall seeing it
I didn't try to ping 8.8.8.8 but Iwas unable to ping the DMZ gateway
Can you resolve names? That I didn't try.
I am at work but I will be back to it Tonight.
Thanks
Randy
-
"Internet still doesn't load' I was just saying no pages load ex: Google
Are you on Automatic Outbound NAT? Yes
Is the DMZ network listed?No, I don't recall seeing it
It needs to be there.
I didn't try to ping 8.8.8.8 but Iwas unable to ping the DMZ gateway
Did you add that ICMP rule I suggested?
-
I added the Outboud NAT but internet still not loading on the DMZ side. I also added an attachment
Thanks
-
You can't add an outbound NAT in Automatic mode so I have no idea what you're actually doing.
-
Me neither. How do I do it correctly.
Thanks
-
Screenshots:
Status > Interfaces for LAN and DMZ
Firewall > Rules for LAN and DMZ
Firewall > NAT Outbound Tab (Just humor me and do it again. Thanks.)
-
Sure. No problem. I changed to Manual and all these NAt appeared.
-
Sure. No problem. I changed to Manual and all these NAt appeared.
Ok. Just leave it alone and stop clicking things.
-
ok. Leaving it alone. Do you still want the screenprints?
-
Of course.
-
Screen prints
-
More prints
-
Last print
-
Your DMZ rules are all out-of-whack but nothing that should stop it from working out to the internet.
Pick a host on DMZ. Can it ping 192.168.2.1?
If so, can it ping 8.8.8.8?
What is the IP address, netmask, and default gateway of that host?
-
Yes it can ping 192.168.2.1 and 8.8.8.8
IP 192.168.2.11
SM 255.255.255.0
GW 192.168.2.1 -
So what's not working?
-
Internet pages don't load. Almost like it is not reaching DNS. I get page not found
-
What happens on the DMZ host when you ping www.google.com?
What name servers are you giving out to the hosts on DMZ?
Did you muck around with the DNS Resolver? is it enabled?
-
When I try a ping to www.google.com, I get unknown host. I am giving 8.8.8.8 Didn't touch DNS Resolver.
-
Yes The DNS resolver is enabled
-
Your DNS isn't working. Fix that and you'll be good.
dig or drill are your friends.
-
I understand that but the only DNS configured is 8.8.8.8. It works from the LAN side
-
Don't know what to tell you. Your rules on DMZ are wrong, but it just makes it not a DMZ. It won't break DNS resolution to google.
Not sure why you're not pointing your DMZ clients at pfSense's DNS resolver instead.
dig @192.168.2.1 www.google.com
dig @8.8.8.8 www.google.com
-
I got it working. No I will go in and correct the rules.
Thanks for your help
Randy
-
Could you specify what you did to fix it so that it may help others down the road?
-
Basically I did everything Derelict suggested and it still didn't work. It was an DNS issue. I tried a different computer an it worked. Same settings . That was it.