Ping LAN to DMZ, but not DMZ to LAN
-
I'd like to configure this:
- PC in LAN can ping Web server in DMZ.
- But I don't want Web server in DMZ able to ping PC in LAN.
The firewall is new (not a lot of rules so).
I'm new in PFsense. Prehaps I've done anything wrong when I've create DMZ interface.
In DMZ Interface: all rules are "disable".
In LAN interface: a rule "block" "IPv4 ICMP echo request".
In my Web server (on DMZ interface), I launch a ping (ping -t) to a PC (in LAN interface).
The ping don't work because there is no rule in DMZ interface.
It's good.In the same PC (in LAN interface), I launch a ping ( ping -t) to the Web server (on DMZ interface).
The ping don't work because there is a rule that block.
It's good.I modify the LAN rule: it pass from "block" to "pass".
The ping from PC to Web server is now walking: it's good.
But … the ping from Web server to PC become good too !!! It's not what I want.
If I add a rule on DMZ Interface that block "ping request" from DMZ to LAN, the ping from server on DMZ to LAN continue.
I know iptables. I don't find in PFsense how to make what I want.
Thanks for all.
Best regards.
-
The packets are filtered on the Interface where they come in by default, except floating rules.
Only packets which explicitly allowed by a filter rule can pass.So if you are able to ping from DMZ to LAN, there must exist a rule on the DMZ interface allowing it, or even a floating rule.
-
^^^ yeah, you either swapped LAN and DMZ interfaces or you need to kill states like advised in your other post.
-
In Interfaces > Interface Assignments:
- WAN: hn0 (00:15:5d:6c:a0:09)
- LAN: hn1 (00:15:5d:6c:a0:0a)
- DMZ: hn2 (00:15:5d:6c:a0:0b)
All is virtualized (Hyper-V) on one physical machine. As soon as possible, I try to make the same test with one physical machine in DMZ and an other physical machine in LAN.
All submenus (Interface Groups, , Wireless, …) are empty.
In Interface > DMZ (I don't show empty fields):
-
Description: DMZ
-
IPv4 Configuration Type: Static IPv4
-
IPv6 Configuration Type: none
-
IPv4 Address: 172.16.0.1
-
IPv4 Upstream gateway: None
In Interface > LAN (I don't show empty fields):
-
Description: LAN
-
IPv4 Configuration Type: Static IPv4
-
IPv6 Configuration Type: none
-
IPv4 Address: 10.0.0.1
-
IPv4 Upstream gateway: None
In Firewall > Rules > Floating:
No floating rules are currently defined. Click the button to add a new rule.
In Firewall > Rules > LAN:
-
Rule num 1: Anti-Lockout Rule
-
Rule num 2: "ping LAN to WAN":
. Action: "pass" or "block"
. Interface: LAN
. Address Family: IPv4
. Protocol: ICMP
. ICMP Subtypes: Echo request
. Source: any
. Destination: any
. Disable reply-to: selected
. State type: keep
. Gateway: default
In Firewall > Rules > DMZ:
No floating rules are currently defined. Click the button to add a new rule.
ping from LAN to DMZ is "blocked".
Then: ping from DMZ to LAN is "blocked" too.What is strange: if rule num 2 in LAN interface pass from "block" to "pass":
- the ping from LAN to DMZ is warking (after having destroyed state in Diagnostics > States)
- immediately, the ping from DMZ to LAN is working too.
When the ping is working (from LAN to DMZ, but from DMZ to LAN too), I have only 2 lines in Diagnostics > States (The "State" column is at 0:0 for the two lines).
Thanks for all.
-
You know this guide?
https://doc.pfsense.org/index.php/Virtualizing_pfSense_under_Hyper-V