Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Inconsistant pinging across OPT (again but different)

    Scheduled Pinned Locked Moved General pfSense Questions
    22 Posts 3 Posters 1.7k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      viragomann @coatmaker618
      last edited by

      @coatmaker618
      I meant, response will go back on OP1.
      I correct it above.

      C 1 Reply Last reply Reply Quote 0
      • C Offline
        coatmaker618 @johnpoz
        last edited by

        @johnpoz the other network would also be isolated too. It would NOT be a shortcut to the LAN or NAS or other private stuff. However I see your point. The goal of all this redesign I'm working on was to get stuff like this off the trusted LAN!! But it seems I'm taking that separation too far with multiple interfaces?

        So your approach would be a single interface on DMZ for this server and just add a rule to LAN to say "allow ssh" & other debug stuff?

        johnpozJ 1 Reply Last reply Reply Quote 0
        • C Offline
          coatmaker618 @viragomann
          last edited by

          @viragomann that would certainly be a problem if Linux decided to respond over the default interface rather than the interface which received the packet.

          That seems like a bad plan to me, but it would seem that perhaps that's what happening?

          Also, sorry for the delay in response viragomann . Apparently I'm still too sketchy (not enough reputation) to post more than once every 2 minutes 😃

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator @coatmaker618
            last edited by johnpoz

            @coatmaker618 said in Inconsistant pinging across OPT (again but different):

            So your approach would be a single interface on DMZ for this server and just add a rule to LAN to say "allow ssh" & other debug stuff?

            Yes.. what you would do is pinhole access from stuff in your dmz into your lan.. But why would dmz need access to ssh to something in trusted vlan? I can see trusted to dmz.. But stuff dmz should have access to should really be very limited.

            My dmz has zero access into any of my other vlans.. you could make the argument that dmz stuff doesn't even have access to your local dns.. Why would dmz need to initiate traffic to any of your local stuff... Local stuff too dmz sure.. If your going to run some service it needs access to - think about putting that resource in the dmz as well. Or yeah a pinhole into another isolated vlan for say sql access or something.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            C 2 Replies Last reply Reply Quote 0
            • C Offline
              coatmaker618 @johnpoz
              last edited by coatmaker618

              @johnpoz my bad, I meant ssh FROM LAN to DMZ.

              My network will eventually have several DMZ, and sure, some of them will have limited connectivity (eg: access a database over SQL or mounted drives from a NAS)--but no. The goal is to have LAN be the only "trusted" network, so the only source for ssh (or RDP, or VNC, or whatever, for debugging).

              And certainly no DMZ will be able to reach INTO the LAN!

              1 Reply Last reply Reply Quote 0
              • C Offline
                coatmaker618 @johnpoz
                last edited by

                @johnpoz I've tried not allowing DNS for DMZ, but I find that web access & DNS is essential for updating services. Anything exposed to the web, be in Linux or a web service, should be kept up to date, no?

                How do you keep OSes & services & such up to date on your DMZ without DNS? If there's a good approach, I may use this myself!

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @coatmaker618
                  last edited by

                  well you would have to point to dns, just external like googledns, or cloudflare.. I am talking about internal dns so if the box was compromised they wouldn't even be able to resolve your internal hosts on other vlans, and couldn't take down your local dns..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  C 1 Reply Last reply Reply Quote 0
                  • C Offline
                    coatmaker618 @johnpoz
                    last edited by

                    @johnpoz OH!

                    I gotcha! That's an interesting approach, you just have PFSense forward the DNS? I've never played around with that.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator @coatmaker618
                      last edited by johnpoz

                      No not forward.. You would set say 8.8.8.8 for dns on the device in the dmz, and just allow that.. And block it from even talking to pfsense IP on 53..

                      If your box in the dmz can not talk to anything on the rest of your network on its own - why would it need to resolve any of your local stuff by name ;)

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      C 1 Reply Last reply Reply Quote 0
                      • C Offline
                        coatmaker618 @johnpoz
                        last edited by

                        @johnpoz gotcha, that makes sense! Interesting point :)

                        1 Reply Last reply Reply Quote 0
                        • C Offline
                          coatmaker618
                          last edited by

                          ok, can someone remind me how to change the name of the topic...since I'm writing it off as solved at this point.

                          1. It seems PFSense is indeed passing the communication along
                          2. So it's an issue with the host having multiple active interfaces. The answer seems to be "stop it" 👿
                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator @coatmaker618
                            last edited by johnpoz

                            just edit your first post, and you should be able to edit it and even add tag as solved

                            edit.png

                            If need be I can do it for you.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            C 1 Reply Last reply Reply Quote 1
                            • C Offline
                              coatmaker618 @johnpoz
                              last edited by

                              @johnpoz Got it, thanks :)

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.