Firewall with WAN/LAN/DMZ Setup
-
Hi,
I am looking to see what the best way to setup an AP in the DMZ is. Currently I have the following configured.
eth0->WAN->Public IP
eth1->LAN->192.168.1.0/24
opt1->DMZ->192.168.2.0/24On the LAN subnet I have their gateway and dns as 192.168.1.1 which is the IP of eth1. Everything works fine.
On the DMZ subnet I have their gateway and dns as 192.168.2.1 which is the IP of opt1. No internet atm.Going from opt1 is a DD-WRT router acting as an AP. On the AP the gateway and dns is 192.168.2.1
What I would like to do is have guest wireless, xbox consoles in the DMZ connecting via wireless to the AP so they are not connected on the LAN.
Any other information needed can be provided or suggestions on the best way to achieve this. Seems like everything is working as suspected except no internet when a wireless guest joins, which is sitting in the DMZ.Regards,
Kevin
-
And what rules did you create on your dmz? out of the box pfsense creates a any any rule on lan for the user. But when you create a new interface you have to create the rules you want.. Or no no internet will will be possible since the default block would block all traffic from the dmz to anywhere.
Dhcp will work on this interface if you enable it - since when you enable dhcp on pfsense it creates hidden rules for dhcp to work. But other traffic would be block. Create a block rule on dmz to your lan net, then create an any any rule under that would be the simplest setup.
-
On the DMZ rules I created from top down.
- reject dmz to lan
- allow dmz any to any ipv4
- allow dmz any to any ipv6
DHCP is enabled and handed out the correct Network Info based on the settings.
I could try to create an any<->any for testing purposes like you said for simplistic. One other question, I do set my gateway/dns to 192.168.2.1 (the IP of opt1) on the linksys AP?
It has been a long time since I installed a dd-wrt so I was thinking that might be part of the problem.
Thanks,
Kevin
-
" I do set my gateway/dns to 192.168.2.1 (the IP of opt1) on the linksys AP?"
You would set your gateway on the dd-wrt lan yes to your dmz pfsense IP. But I have a feeling your not really using your router as AP.. The only reason you would need to set the gateway on the dd-wrt lan interface would be for itself to have internet, or for you to be able to access its gui from your lan.
The AP gateway has zero to do with your clients access if being used as actual AP. Any wifi router be it running dd-wrt not can be used as just a AP.
Connect it to the network one of its LAN ports, turn off its dhcp = AP..
You only need to give it lan an IP on this network for access to its web gui to configure its wifi. Your clients should be getting dhcp from pfsense dmz dhcp server.. They would get IP on that range, and point to pfsense for gateway and dns in a default configuration.
If your not using your dd-wrt lan port to connect it - that is most likely your problem.. Now dd-wrt does have a AP mode where it can bridge the wan port on the router into the lan… But unless you are really really short on physical ports. Its just best and easier to use a LAN port on the wifi router your wanting to use as AP.. You will also want to make sure your not using any sort of guest mode or isolation mode on the AP that would prevent access to lan network.
If you want to use more than one wifi network, where you actually have guest network then you would need vlan AP... And if going to connect this AP to a switching setup then your switch would need to have vlan support as well.
But just a dumb AP that connects to your dmz then sure any wifi router can be used with the simple setup.. Lan port, turn off its dhcp. Setup the routers lan IP to be on the network address space your going to be using.
-
Thanks Johnpoz!
Ok, the gateway/dns was left blank by default.
It's connected to one of the lan ports currently.
DHCP is handed out by pfsense currently.
I have it connected through a regular patch cable from the lan port to the dmz port on pfsense.
I just went through some dd-wrt docs and noticed there were a few options I missed also.
I'll check when I get home. I thought it should be really simple setup also so that's why I was a little stumped why it wasn't working.
Thanks,
Kevin
-
Looks like everything was correct except for one thing on the pfsense NAT/Outbound rules. Since I had done manual outbount NAT, I had to create a rule for DMZ->WAN and that did the trick.
Thanks for the help.
Kevin
-
Well why would you not just leave it on auto?? Then you would never had to look at it.
-
Exactly the question I asked myself last night. Not sure why the video wanted to go from auto to manual that I watched, but I'll know next time!
Kevin
