/28 subnet on DMZ

Derelict · Oct 31, 2018, 12:10 AM

What is the IP numbering of your WAN interface?

What is your DMZ subnet?

comnsense · Oct 31, 2018, 12:17 AM

The IP of the WAN interface is:
144.76.37.145
and the subnet is:
5.9.254.80/28

Derelict · Oct 31, 2018, 12:21 AM

OK so you need to number an inside interface with something like:

Address: 5.9.254.81 /28

That lets you set inside hosts to:
Available: 5.9.254.82-5.9.254.94
They should set their default gateway to: 5.9.254.81

You need firewall rules passing from those source addresses, all protocols.

No idea why you are setting the destination port to 80 on your NO NAT rule.

Outbound NAT only affects connections initiated from the inside.

Anything coming in from the outside is handled by the rules on WAN and the stateful firewall.

comnsense · Oct 31, 2018, 12:42 AM

That is indeed exactly how I have configured my setup.

Just to be sure I disabled the rules on the DMZ and created 1 new allowing everything outside and instead of DMZ NET as source defined the test client IP address (5.9.254.82).

Under outbound NAT I removed the destination port setting. I know I shouldn't have messed with that in the first place but now it behaves just like before and the test client lost all possibilities connecting/ping to the outside.

Only when I define some port number in outbound NAT is it that the client can ping outside, no browsing however.

Derelict · Oct 31, 2018, 12:44 AM

You're going to have to post your rules and outbound NAT.

This all just works unless they are really not routing those addresses to you.

comnsense · Oct 31, 2018, 12:45 AM

Just a quick question, is this behavior consistent with Hetzner not routing my subnet to the proper (WAN) IP Address?

Derelict · Oct 31, 2018, 1:40 AM

Depends.

You can tell whether they are routing it to you by packet capturing on WAN.

Packet capture for one of the DMZ IP addresses. Ping it from the outside. If the ISP ARPs for the address, they are not routing it. If the pings just show up to that destination they are.

comnsense · Oct 31, 2018, 11:18 PM

Thanks for the tip, why didn't I think of this sooner. Would have saved lots of headache.
It seems after a packet capture that indeed the subnet is not correctly routed by Hetzner.
I'll come back with an update after I got them to route correctly..

comnsense · Nov 1, 2018, 1:13 AM

Okay, it seems that they (Hetzner) have now router everything correctly.

To be sure I did a factory reset of pfsense and configured it again. Unfortunately nothing seems to have changed, DMZ clients still can't connect to the outside.

I've included several screenshots of my configuration.

I hope this helps in trying to figure out where I went wrong.

comnsense · Nov 2, 2018, 10:28 PM

Thanks for the support given so far. At seems as though I was to early. A couple of hours after Hetzner said they made the change in routing it started working.

So now everything works as it should.