NAT Issues
-
https://tools.ietf.org/html/rfc5737
IOW, you are censoring information in a way that makes the information to get lost and any advise impossible.
Ahhh, gotcha. OK, the DMZ is on a 192.168.200.x/24 subnet. I'm restricted by corporate policy in giving out the other subnet information. Let me know if this helps.
+
|
|
|
|x.x.x.200
+–--------+
| |
| |
| |PFSense Edge Firewall
| |
| |
+----------+
|192.168.200.1
|
|
|
|
|
|
|
|192.168.200.203
+---------------+
| |
| |
| Web Server
| |
| |
| |
+-------+-------+
|
|
|
|
|
|
|
|
+-----------------------+ | 192.168.200.2
| | +------------------+
| | | |
| | | |
| | | |
| | | PFSense Trust Firewall
|Corporate Network +----------------+ |
| | | |
| | | |
| | | |
| | +------------------+
+-----------------------+ -
BTW, moderators….I understand that this is probably no longer a NAT issue. Please feel free to move to an appropriate routing board.
-
What happened to the w.w.w.7 thing?
-
That is the LAN interface IP address that I neglected to put back in the schematic. It's on my corporate network, on a totally different network than my DMZ network and the last octet is .7
-J -
bump
-
So your web server is what amounts to your transit network?
If you need a downstream router from your edge, then that needs to have a transit.
-
Correct, the entire 192.168.200 subnet is a transit network. I don't understand your point about the downstream router. There is indeed a upstream and downstream network on either side of the Edge Firewall and on my Corporate Network. My question is specifically about the web server in the 192 subnet. If I make the default gateway on that box point toward the PFsense at 192.168.200.2 I can poll the server internally but not externally through the 1:1 NAT I've setup on the Edge PFsense. If I point the webserver toward the PFSense at 192.168.200.1 I can access the server through the 1:1 NAT on the Edge PFsense but can't access anything on that box from the Trust Firewall. Everytime the logs are littered with TCP:S which leads me to believe….I don't know what to believe at this point.
-
hosts do not sit on a transit!!! If they do they need to have host routing that tells them where to go to get to what.. But in general there should really never be a host on a transit network..
Hang your webserver off a different segment than your transit network off your edge router/firewall.
-
Maybe I misunderstood what you were saying about a transit network. Are you saying I can't setup a design like this on my network?
-
bump
