DMZ host has not Internet connection
-
Hello,
I have a pf sense with 3 interfaces (LAN,DMZ and WAN).
From DMZ hosts I can ping the WanGW address (private IP of ADSL router) but I can't go out.
I have modified a lot of rules of Firewall but without solution.Anyone can suggest me where modify?
Thanks
-
My suggestion is to fix the thing that is wrong. I can't be more specific since you have provided no details at all about your NIC details and firewall rules. Maybe this will help:
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
Is the default gateway at the DMZ host set to pfSenses DMZ interface address?
-
Thank you KOM and viragomann.
The default GW at DMZ host is the DMZ address interface.
I've solved temporarily using a rule (in DMZ interface) from dmz host to All without restrictions and so work on.
But if I put as a destination WAN address or WAN net doesn't work, this I can't understand why.
I'd like to open only to Active Directory and LDAP services from DMZ to LAN.
How Can I do?
thanks
-
But if I put as a destination WAN address or WAN net doesn't work, this I can't understand why.
Because WAN net is the subnet of your WAN interface, not the internet
Because WAN address is the address of your WAN interface, not the internet.
To forward traffic to the internet, the destination must be any.
For a DMZ you want to create rules that:
Specifically pass the LOCAL assets you want the DMZ to access (DNS, AD DC, Email, etc)
Less-specifically reject the LOCAL traffic you don't want the DMZ to access (such as DMZ to LAN net and DMZ to This firewall (self))
Pass everything else (the internet, aka any) -
Thank you Derelict,
Does exist a way to open such port to certain services on demand?
For example, an internal Domain controller that have to syncronize some datas
with the host in DMZ, daily. -
You can use schedules on rules, but why not just open the ports? Sounds like you're over-thinking it.
I don't get the "on demand" part. If the firewall just opens the port when it receives a connection, it's an open port.
In general LAN has much greater permission to open connections to DMZ. The point is to restrict the connections DMZ can open into LAN to the minimum necessary.
-
Not radically at every request the firewall should open but
at every, setted, specifical request I want.
Obviously it shouldn't be a firewall in the radical case.Thank you derelict.
-
Huh?
Example: If your DMZ host needs to access an LDAP server in LAN, you pass traffic from DMZ to the LDAP server on tcp/389 and/or tcp/636 + udp on the same if necessary. Nothing more (the following rule blocks all traffic from DMZ to LAN).
-
OK
