[SOLVED] How to access to server in DMZ
-
Forgive my newbie question, but I'm learning to use pfSense.
I have configured the DMZ and the LAN and now I can:
- Surf the Internet from PCs in the LAN and from the server in DMZ
- Make updates.
- PING on PC / Server and on the Firewall network cards.
So I am satisfied.
What I would like to do now is to access the HTTP server located in the DMZ from Internet.
I created the rule like in this screenshot; it comes from the rules that I use in the LAN and DMZ sections, but evidently this rule is not enough.
I haven't even figured out how to configure a Port Forward, if that's what I have to do.In this test environment the server manages HTTP, HTTPS, Mail, FTP, Slave DNS servers.
Tomorrow I will create different servers for each service
"LS1" is an alias with the server address.
"Web" is an alias for 80 & 443 ports. -
Source WAN net is not "the internet." Source any is "the internet."
You probably need a port forward as well unless you have routed, public IP addresses on the DMZ interface.
-
The router has a port forward 80 on the pfSense WAN network card.
I have changed the rule from WNA net to WAN address.
Nonetheless:- in pfSense / Diagnostic / Test Port from WAN to the server address in DMZ replies with: "No output received, or connection failed. Try with" Show Remote Text "unchecked first."
- With https://www.yougetsignal.com/tools/open-ports/ on the public address, the port 80 is closed
This is the new snapshot of the rules in WAN and the one in DMZ.
I was wondering, if the access from 192.168.0.0 is blocked by default in WAN, how does it accept traffic from the router if the rule is after that of the block?
-
@WhiteTiger-IT said in How to access to server in DMZ:
I have changed the rule from WNA net to WAN address.
Why?
-
@Bob-Dig said in How to access to server in DMZ:
@WhiteTiger-IT said in How to access to server in DMZ:
I have changed the rule from WNA net to WAN address.
Why?
Because initially the rule was from WAN Net, now from WAN Address.
Which is the right rule? -
@WhiteTiger-IT When staff give you a hint, better do it.
@Derelict said in How to access to server in DMZ:
Source WAN net is not "the internet." Source any is "the internet."
-
What we call ourselves, (of their own free will) WAN or WAN Net, etc. is not equal with internet access
the solution is this:
@Derelict " Source any is "the internet."
-
Now in WAN there is only the rule
Source ANY to Alias-Server in DMZ for Alias-Port (80 + 443)41/5000
I have left the other rules (in LAN and DMZ) unchanged, but yet I don't reach the Apache server in DMZ and ports 80 + 443 are closed from the Internet with this linkDo I need to add a Port Forward?
I already have a port forward for ports 80 + 443 on the pfSense WAN card.Forgive my inexperience, but it is the first time that I work with pfSense and I create rules in a firewall.
I read the online manual and a couple of PDFs that I found on the net, but as regards the configuration of pfSense to manage a server in the DMZ I have not found anything that can help me.If you can direct me to another reading, I am giving it to you
-
@WhiteTiger-IT Show us the Port Forward-rule and the WAN-rule and while you are at it, the rest again.
-
In pfSense there are no port forwarding rules, only the two automatically created in Outbound.
This is the WAN screenshot about rules.
This is the screenshot of the router
-
@WhiteTiger-IT In a normal setup, your router would forward those or any ports to the pfSense WAN-Interface and then you would need to port froward from there to your actual server. So you would need to portforward in pfSense too, doing double-NAT. But maybe your setup is different, but you haven't told us in your first post.
-
@Bob-Dig said in How to access to server in DMZ:
@WhiteTiger-IT In a normal setup, your router would forward those or any ports to the pfSense WAN-Interface and then you would need to port froward from there to your actual server. So you would need to portforward in pfSense too, doing double-NAT. But maybe your setup is different, but you haven't told us in your first post.
I am now starting to configure pfSense in my "personal laboratory" to learn how to use it.
The rules entered are those that I also viewed in previous posts. There are no other rules and these are used to access the server from my PC and to make updates.
These are rules that I took from the official help.
In DMZ there is an Apache with only the default page, to do the tests I think it is enough. -
@WhiteTiger-IT So you haven't changed any settings in pfSense (System - Advanced - Firewall & NAT), then pfSense is its own router and you have to do double-NAT, like I said.
-
@Bob-Dig said in How to access to server in DMZ:
So you haven't changed any settings in pfSense (System - Advanced - Firewall & NAT), then pfSense is its own router and you have to do double-NAT, like I said.
I have now created this NAT Port Forward rule.
Is this what you mean?
-
@WhiteTiger-IT More like this:
login-to-view -
I changed the NAT rule and didn't use aliases.
But now using the URL http: // IP-Address I get the Tunnel Connection Failed error
-
Using a DDNS I get the error Connection Timed out
I don't find error in Syslog / Firewall -
Last week I contacted the ISP that manages the firewall; they told me that they were no problems and that is pfSense not to have the ports open.
How can I check if it is true?
I can only use tools on the Internet and this tells me that the doors are closed on the public address.
If from pfSense Diagnostic I ping from WAN on the server, it doesn't work, but maybe this is not enabled. -
AAARGHHHH!
DAMNED DHCP THAT CHANGED THE ADDRESS OF THE WAN CARD!Everything is working!
I apologize very much and thank you for your support and patience!