Can't get firewall rules to work

philled · Apr 12, 2014, 7:19 AM

I'm pretty new to pfSense, having from from Smoothwall.

My pfSense setup has 3 NICs:

WAN
LAN 192.168.0.0
DMZ 192.168.1.0

I have quite a few firewall rules to set up but can't even get a basic rule working. For example, I want a machine in my DMZ (192.168.1.100) to connect to port 80 on a machine on my LAN (192.168.0.120). I thought that would be simple but the rule I created still doesn't allow the connection when I try it from 192.168.1.100. I've attached a screenshot of the firewall rules on LAN. Can anyone please advise why this wouldn't work?

As I say, I thought this would be simple. On Smoothwall a lot of this stuff is pre-configured. I'm starting to get an uneasy feeling that pfSense doesn't do anything like that for you - it just provides a web interface as a slightly more convenient way of setting up firewall rules by hand.

chpalmer · Apr 12, 2014, 7:25 AM

Can anyone please advise why this wouldn't work?

Yep- You need to add a nat rule.

/firewall_nat.php

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

philled · Apr 12, 2014, 7:57 AM

@chpalmer:

Can anyone please advise why this wouldn't work?

Yep- You need to add a nat rule.

/firewall_nat.php
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

OK, I'll look into that.
Would the lack of a NAT rule explain why I have no access to the DMZ from my LAN? I'm worried I may not have set up my DMZ correctly in the 1st place. I followed the instructions at http://pfsensesetup.com/pfsense-setup-part-four-setting-up-a-dmz but I can't ping the machine in the DMZ or telnet to port 80. It's totally inaccessible. Would that also be because I haven't set up any NAT rules (that article didn't state that as necessary)?

biggsy · Apr 13, 2014, 2:48 AM

What rules do you have on the DMZ interface?

Rules are applied to the interface on which the traffic will enter.

LAN can access anywhere (see the descriptions at the end of lines two and three in your screenshot).

WAN and OPT (your DMZ) interfaces need to have rules to allow traffic in.

phil.davis · Apr 13, 2014, 4:26 PM

What biggsy said - that last rule you have on LAN in your screenshot has to be on DMZ, where the traffic originates.
You do not need NAT to get between local subnets (like a DMZ and LAN). Do not mess with the NAT settings, or you might break something else accidentally.