Can't get LAN to talk to DMZ
-
Hello, all.
We are fairly new to pfSense (although we know Cisco very well). We have a pfSense box setup with a WAN, LAN and DMZ port. All interfaces can get to the Internet without issue.
The problem is the LAN cannot get to the DMZ hosts. I have the following rules set:
LAN: allow any any gateway
LAN: allow management access (generated rule)
DMZ: allow any any (except LAN) gatewayI have tried adding specific rules to allow the LAN to DMZ on the LAN interface and the DMZ interface. Nothing seems to work. My logs show my traffic hitting the pfSense box but not passing through. I am able to ping the DMZ host from the pfSense box.
Please help as I am in the middle of deploying this for a customer of ours.
Thank you
-
Post a screenshot of your LAN rules. Default LAN rule allows any access for all clients. Unless you changed the default LAN rule, all LAN clients should be completely unfettered. Are the DMZ hosts Windows boxes? Do they have their firewalls enabled that will reject out-of-subnet traffic?
-
I still have the default rules in place. See attached.
-
You did alter the default LAN rule to set a specific gateway. Having multiple gateways is the kind of stuff that's important to know beforehand when troubleshooting. Why do you have multiple gateways? Can you hack up a quickie network diagram? This smells like an asymmetrical routing problem.
-
Oops. You are correct. We did add the gateway because we needed Internet fail-over using gateway groups.
-
Where exactly is pfSense in the mix? You appear to have a firewall and two routers between all the networks. What's what? What happens if yo change your default LAN rule to not specify a gateway and just let it use its default?
-
LAN: allow any any gateway
If your pointing to a specific gateway, you have to make sure rules are above the rule that sends you down a gateway that allows access you want.
So if you have lan any any going down a gateway, and you want lan to be able to get to dmz then above the rule that sends it to the gateway put a rule with dest dmz that doesn't set a gateway.
-
@KOM:
Where exactly is pfSense in the mix? You appear to have a firewall and two routers between all the networks. What's what? What happens if yo change your default LAN rule to not specify a gateway and just let it use its default?
Thank you for taking the time to look at this.
The pfSense is the firewall icon. The icons between the pfSense and the Internet cloud are the modems.
I have tried this without the default gateway set and still it does not work.
-
LAN: allow any any gateway
If your pointing to a specific gateway, you have to make sure rules are above the rule that sends you down a gateway that allows access you want.
So if you have lan any any going down a gateway, and you want lan to be able to get to dmz then above the rule that sends it to the gateway put a rule with dest dmz that doesn't set a gateway.
Could I be specifying the rule incorrectly. I do have a rule (without a GW) above the global rule.
-
I don't think you should be specifying a gateway since that LAN-DMZ traffic won't be going out either of them ever. I asked this once already without reply: What kind of boxes are in the DMZ that fail to respond to ping? Are they Windows boxes?
-
To all who have helped.
I just upgraded my system from 2.3.2 to 2.3.2_1 and now it seems to be working. Must have been a bug.
-
Gah! I hate those!!
Glad you got it working.
-
"Must have been a bug."
Rolleyes!!! Yeah must of been… The 10's of 1000 of installs that were running 2.3.2 and prob still 1000's like you that for some reason didn't update to on install? are has a bug that doesn't allow traffic flow between segments..
From this post I would say its working.. You have active states and traffic..
-
Well, in my experience here I have seen many, many cases where something that should work doesn't work no matter what you do… until you upgrade, reboot or reinstall (if it's a package.)
