Simple DMZ routing issue

  • Basic setup… WAN is Internet routable, LAN is a routable DMZ and OPT1 is a non-routable subnet.

    OPT1 can easily hit the internet
    LAN can hit the internet, and the internet can hit it
    OPT1 can not do anything to the LAN subnet, not even ping the GW
    OPT1 can ping to the WAN subnet

    Am I missing a NAT rule... when I sniff on the LAN port I don;t see anything coming from the OPT1 subnet

    Thanks in advance.

  • Open the Lan interface for the Opt, so that you can ping from Opt to Lan but not the other way round.

  • I already have that done. In the LAN rules I have a rule for source OPT1-net to any with logging enabled.

    What is weird is that there are NO drop or reject messages in the firewall log, though I do see the traffic being allowed out from the OPT1 interface.

    When sniffing I never see the traffic on the LAN interface. it's almost like the traffic isn't being routed. All boxes use the firewall as the gateway, so I would expect the see something. It's almost like I am missing a setting that would allow routing. I am not blocking RFC 1918 addresses.

  • I figured it out… reboot the firewall!


  • Perfect. I am happy to hear that.  ;)

