DMZ for VMs with VM pfSense
-
@luckyzor
I've already tried to tell you to add an "isolated network".
Add a new virtual network in the VMM, enter DMZ in the network name box, no DHCP (if needed, this can be done by pfSense), no routes, check "isolated virtual network".Then add a NIC to pfSense and connect it this network and configure it in pfSense. Also connect the virtual NICs of the other DMZ VMs to it.
-
@viragomann I've done that but no internet access with the VM in the DMZ.
Maybe this need more configuration in pfSense... Can you give me some clue? Thanks alot
@johnpoz I've already thought to change to Exsi but I need to buy a license, and I have already all my VM in KVM. One day maybe :)
-
@luckyzor said in DMZ for VMs with VM pfSense:
I've already thought to change to Exsi but I need to buy a license
Depends on your Feature needs, there is a free ESXi License. You can't run vCenter with the Free and some other stuff is missing, you just need to check.
-Rico
-
@luckyzor said in DMZ for VMs with VM pfSense:
Maybe this need more configuration in pfSense... Can you give me some clue? Thanks alot
https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html I guess you forgot to add rules to your new interface in pfSense. Hard to say unless you provide some more details.
-
@luckyzor said in DMZ for VMs with VM pfSense:
Maybe this need more configuration in pfSense... Can you give me some clue?
pfSense only permits access on LAN devices by default, on other interfaces added by yourself you have also to add filter rules to permit access to connected devices.
Go to Firewall > rules > DMZ and add a pass rule and allow any from any source to any for testing. Restrict access later.
-
@grimson said in DMZ for VMs with VM pfSense:
@luckyzor said in DMZ for VMs with VM pfSense:
Maybe this need more configuration in pfSense... Can you give me some clue? Thanks alot
https://www.netgate.com/docs/pfsense/routing/connectivity-troubleshooting.html I guess you forgot to add rules to your new interface in pfSense. Hard to say unless you provide some more details.
I've added the network interfaces, created the DMZ interface:
Now my VM in the DMZ can ping my lan but can't ping my wan.
I tried to block from dmz to lan and it doesn't work:
What I want:
DMZ can't see Lan devices
Lan devices can see DMZDMZ can see and be seen by WAN
Can I access DMZ by hostname in the Lan interface?
thanks for your help. I really appreciate.
-
Start reading here: https://www.netgate.com/docs/pfsense/book/firewall/index.html the rule you posted above shows pretty clearly that you lack the basics on how a firewall works.
-
@viragomann said in DMZ for VMs with VM pfSense:
@luckyzor said in DMZ for VMs with VM pfSense:
Maybe this need more configuration in pfSense... Can you give me some clue?
pfSense only permits access on LAN devices by default, on other interfaces added by yourself you have also to add filter rules to permit access to connected devices.
Go to Firewall > rules > DMZ and add a pass rule and allow any from any source to any for testing. Restrict access later.
Can't access internet with that rule:
-
Your rule allows TCP only! Ping needs ICMP.
-
@viragomann said in DMZ for VMs with VM pfSense:
Your rule allows TCP only! Ping needs ICMP.
Still the same.
@Grimson I will read what you send me and try to understand this.
I'm facing a problem more "urgent" and I hope do be guide on how to troubleshoot this so I can try to fix it.
everything works (not the DMZ, but that is not urgent) as expected with my host and other VMs in the LAN side.
For the first time I plugged-in a switch in the LAN physical interface and my desktop to the switch.
Unfortunately, I can't get IP from the DHCP, tried to put a ip manually and nothing.
I don't know where to start to check where is the problem.I really need some help for this. Hope you can help me. Thanks in advance
-
@luckyzor said in DMZ for VMs with VM pfSense:
Unfortunately, I can't get IP from the DHCP
Then you have a layer 2 problem.. Or you did not enable dhcp on that interface..
-
@johnpoz said in DMZ for VMs with VM pfSense:
@luckyzor said in DMZ for VMs with VM pfSense:
Unfortunately, I can't get IP from the DHCP
Then you have a layer 2 problem.. Or you did not enable dhcp on that interface..
I found the problem. I don't know why but my configuration file for the 2nd NIC disappeared.
I created a new one. restart network solved.Now I'm back to the DMZ zone:
I create the isolate VN as @viragomann said.
When add this interface as OPT in pfSense with no rules, I have access to LAN net.
I started to go to rules -> DMZ -> Create Rule.
Created a rule to block everything. surprise, I still have access from LAN net to DMZ and vice-versa. is it normal?Thanks for your help
-
No, an isolated network has no connection to anywhere as long as there is no device connected to it which passes the traffic.
If you can't find the leak use traeceroute to investigate which node let the packets pass to LAN.
-
@viragomann said in DMZ for VMs with VM pfSense:
No, an isolated network has no connection to anywhere as long as there is no device connected to it which passes the traffic.
If you can't find the leak use traeceroute to investigate which node let the packets pass to LAN.
@viragomann I created the vDMZ (isolated / no DHCP / ip 192.168.2.0/24)
Attached this network to the VM-http and the VM-pfSense.
Created the DMZ interface with the vDMZ.
Until here is like that I need to do in KVM?
-
The vDMZ must also have no static routes activated. Apart from that, it should be fine.
-
@viragomann said in DMZ for VMs with VM pfSense:
The vDMZ must also have no static routes activated. Apart from that, it should be fine.
I've just added the vDMZ to the VM-http and I can ping the host and the host can ping the VM. how can I block this?
-
Can you also ping the host if you disconnect the pfSense from vDMZ in VMM?
-
@viragomann said in DMZ for VMs with VM pfSense:
Can you also ping the host if you disconnect the pfSense from vDMZ in VMM?
Yes. the vDMZ is not added to the VM-pfSense.
So the problem is in the Host machine I guess, but don't know what to do. -
@luckyzor said in DMZ for VMs with VM pfSense:
@viragomann said in DMZ for VMs with VM pfSense:
Can you also ping the host if you disconnect the pfSense from vDMZ in VMM?
Yes. the vDMZ is not added to the VM-pfSense.
So the problem is in the Host machine I guess, but don't know what to do.I found this route in the Host :
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0I deleted and now ping doens't work anymore. Is this the solution? thanks for the help
-
That route should have no effect, since there is no router specified. It only defines the network on vibr0 (vDMZ?).
