Multi Wan issues with DMZ



  • Hi;
    I have put pfsense on a server hardware with 4 NICs. 
    LAN = 192.168.1.x / 32
    WAN = 74.x.x.64/27
    WAN2 = 74.x.x.176/29
    DMZ=192.168.25.x/24

    The LAN side actually connect to a cisco router that sits between LAN and Firewall. The actual Lan ip address 10.1.1.x/24 and 10.1.2.x/24.

    Everything is working fine, I have 1to1 Nat setup for mail server and my web server.  The mail servers are in LAN and Web server are in DMZ.  Everything is good on the LAN side. The servers on the DMZ have Nat 1to1 from the pool 74.8.3.64/27 address.  I can hit the webserver and all the websites hosted on the webserver just fine FROM OUTSIDE OF MY NETWORK.  But from within the LAN to DMZ I can not access the web server, can not browse the web sites.

    I did add rule on the LAN to allow Lan subnet access to DMZ subnet but I still was not able to access DMZ.  When I try to ping the DMZ interface (192.168.25.1) from the LAN side I get message from one of my ISP routers stating that host is unreachable.

    Any suggestions?  I can get you more info if you need.  I looked high and low and followed every suggestion but could not get this resolved.



  • Some general info.
    @http://forum.pfsense.org/index.php/topic:

    1:1 NAT is bidirectional.
    Meaning traffic originating from the Computer that is 1:1 NATed will appear as if from the external IP used in the 1:1 NAT mapping.

    NAT-Reflection does not work with 1:1 NAT
    http://forum.pfsense.org/index.php?topic=7266.msg41244
    quote:
    You most likely need to setup split dns or add a port forward on top of the 1:1 nat to invoke reflection.  Reflection by default does not work with 1:1 nat's.    So your most likely resolving the public IP address which will not forward back across to the 1:1 server.

    How to set up split-DNS with the DNS-forwarder in pfSense:
    http://forum.pfsense.org/index.php/topic,9440.0.html

    http://doc.m0n0.ch/handbook-single/#id11641814



  • I guess if I could get some sort of response from DMZ while sitting is on the LAN then I could address the DNS issue.  Let me draw out what I have:

    |ISP 1|                                |ISP 2|
             \                                         /
          74.x.x.64 /27                     74.x.x.176 /29
                \                                    /
                 –------------------------
                |        pfsense                  |-------DMZ---192.168.25.1/24
                ---------------------------
                              |
                          LAN 192.168.1.1/32
                              |
                ---------------------------
                |     Cisco Router (PBR)      |
                 --------------------------
                  |                            |
             10.1.1.x/24              10.1.2.x/24

    I am not using the dual wan in load balance instead using it as policy based routing.  10.1.1.x goes over ISP1 and 10.1.2.x goes over ISP2.

    Originally I was doing 1to1 NAT external IP to Internal ip address, I have been told that this config will not work in PFSense world so now I am just doing port forwarding instead.  Nat-Reflection is enabled.   I am open to suggestion as to what might be the best method to get this work as long as my network stays secure.  I would just need little bit of instructions with the suggestion.

    From the 10.1.x network I can not ping the 192.168.25.1 interface.  But if I login to Cisco router and ping from the 192.16.1.x interface I can ping 192.168.25.1 interface without any problems.  And from the cisco router I do extended ping using the 10.1. network the pings fail.  I seem to be have some sort of route issues here.  I am able to pass traffic to the internet just fine and I have some mail servers on the LAN (10.1.1.x and 10.1.2.x) network and they both are working fine.  So what is the deal here.

    Here is my packet capture my internal ip address trying to ping dmz (10.1.1.18 -> 192.168.25.42)

    23:16:43.843038 IP 10.1.1.18 > 192.168.25.42: ICMP echo request, id 512, seq 27192, length 40
    23:16:43.850659 IP 63.138.148.245 > 10.1.1.18: ICMP host 192.168.25.42 unreachable, length 36

    Seems like PFSense does not know that it needs to send this out DMZ interface.

    UPDATE**
    I  opened all port on the DMZ to LAN for moment just for testing and I was able to ping from DMZ to one of the host on the LAN network.  When I am connected from outside via OpenVPN I can ping the web server on DMZ.  But I still can't ping the DMZ from LAN, when I do tracert from windows machine on the LAN I see that it hit my Cisco router (lan gateway) then it hits the external (WAN1) interface then it hits the ISPs router and tell me that the host is unreachable.

    This is a really weird problem or there might be a check box that I might be missing.



  • Having a similar issue but only with DNS traffic.  NAT reflection is working fine for other ports (TCP) that are NAT'd into the DMZ, just not UDP port 53.  Have set rules to allow traffic in all directions internally and can ping in all directions against all interfaces of the FW, clients and hosts.
      Assuming it's either a UDP-specific issue or relating to DNS settings.  All DNS forwarders etc are disabled, only DNS services of any kind are on the servers in the DMZ and they're working if the LAN connects directly to the DMZ IP and also if connecting from the outside via regular port NAT.  Only the NAT reflection isn't working.
      (Split DNS unfortunately isn't really an option for various other reasons.)
      Anybody have DNS working via NAT reflection?


Log in to reply