[SOLVED] Access from LAN to DMZ(OPT1)
-
Hello,
I'm new to pfsense.
My setup:WAN IGB0
LAN IGB1 192.168.1.1
DMZ IGB2 192.168.3.1Computer on LAN 192.168.1.115
Webserver on DMZ 192.168.3.5Big picture: I want to setup a webserver on a DMZ, so I can access it from outside of my LAN.
To setup the webserver I want to be able to access it from my LAN. How do I setup the firewall that I can access the webserver in the DMZ from my LAN?Firewall rules:
DMZ: Allow Ipv4 Source: LAN net Dest: DMZ net
LAN: Default Lan to any ruleI can't ping the webserver, the firewall is somehow denying access. What rules do I have to modify or add?
Best regards
theboda -
I'd do something like I've attached, I basically allow anything out my DMZ and block access from the DMZ to my local subnet.
You also need to set up NAT to NAT http & https to your internal IP address on the DMZ.
You may not need rule 2 - 4.
If you do a packet capture on the DMZ interface do you see ICMP packets comming from the LAN, it could be a firewall on the web server.
You should see something like this :-
15:44:05.697736 IP 172.16.2.20 > 172.16.5.2: ICMP echo request, id 7175, seq 0, length 64
15:44:05.698355 IP 172.16.5.2 > 172.16.2.20: ICMP echo reply, id 7175, seq 0, length 64
15:44:06.698167 IP 172.16.2.20 > 172.16.5.2: ICMP echo request, id 7175, seq 1, length 64
15:44:06.698834 IP 172.16.5.2 > 172.16.2.20: ICMP echo reply, id 7175, seq 1, length 64If you just see requests its an issue with the web server.
Post a screenshot of your rules.
-
The ping works:
16:51:43.813322 IP 192.168.3.117 > 192.168.3.1: ICMP echo reply, id 63308, seq 4024, length 64
16:51:44.816006 IP 192.168.3.1 > 192.168.3.117: ICMP echo request, id 63308, seq 4025, length 64
16:51:44.816445 IP 192.168.3.117 > 192.168.3.1: ICMP echo reply, id 63308, seq 4025, length 64
16:51:45.816249 IP 192.168.3.1 > 192.168.3.117: ICMP echo request, id 63308, seq 4026, length 64I always get an answer, the answer just doesn't get back.
Is the Test net your DMZ?
So this is a screenshot of your LAN tab?
-
I always get an answer, the answer just doesn't get back.
Is the Test net your DMZ?
So this is a screenshot of your LAN tab?The TEST net is actually just an interface I set up so I could post firewall rules without using the inverse match, it confuses people and some people say don't use the inverse match as it's prone to issues.
Is that your DMZ rule you've posted ?
-
The TEST net is actually just an interface I set up so I could post firewall rules without using the inverse match, it confuses people and some people say don't use the inverse match as it's prone to issues.
Is that your DMZ rule you've posted ?
Yes it is.
Okay I'll try to copy your setup. -
These are my DMZ settings now.
Should work.. But I still can't ping my webserver in the DMZ
-
Post your lan rules.
What's your LAN doing as a source on the DMZ interface !
pfSense is stateful.
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
https://en.wikipedia.org/wiki/Stateful_firewall
-
The LAN rules are just the standard ones.
-
You would need zero rules on the dmz interface for something from lan with the default any any to get there.
If your not able to ping the dmz device even. Points to firewall on the dmz device if you ask me. Do a simple sniff on the dmz interface on pfsense.. ping from your lan to your dmz IP. Do you see the icmp go to the dmz IP you pinged.. If so pfsense did its job and the box not answering has nothing to do with pfsense.
-
Ok I deleted all rules for the DMZ interface.
Left the LAN interface with the default rules.
Tried to ping the device in the DMZ, did a packet capture on the DMZ interface –> got no output at all. -
Is your device on lan using pfsense as gateway? Can you ping the dmz interface IP of pfsense?
Did you maybe set a /32 mask on the pfsense dmz IP vs say /24?
-
Yes my lan device has the gateway 192.168.1.1 which is the LAN gateway of the pfsense.
Tried to ping 192.168.3.1, but can't ping the dmz interface either.ping 192.168.3.1 PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data. From 192.168.1.105 icmp_seq=1 Destination Host Unreachable -
well if you can not ping the dmz IP of pfsense from lan - then your never going to get to a device on the dmz. Ae you using a vpn client on pfsense and sending all traffic out the vpn?
Did you set a /32 on the dmz IP?
Are you using a vpn client on the lan device?
Post up the interface settings of your lan and dmz in pfsense. This really is clickity clickity worky sort of stuff.
Did you put some rule in your floating tab that would be blocking it?
-
No vpns at all on the systems.
The dmz IP is set on a /32
 -
Why would you be getting back that from .105? pfsense lan IP was .1 you stated.
LAN IGB1 192.168.1.1
Do you have some host routes setup on this lan box?
you sure your lan mask is /24 and not maybe say /22 or larger? Is this lan device windows box? If so post output of ipconfig /all and route print.
-
your /32 is BROKEN… Set that to /24 how it normally would be..
-
Set it to /24, still not working.
The laptop is a linux machine.
I don't have host routes set up, not that I know of. -
well do a netstat -nr on it..
So you can see your routes… This will also validate what mask you have... When you ping you an IP on a different network you sure shouldn't be getting back from a different host
From 192.168.1.105 icmp_seq=1 Destination Host Unreachable
On your own network that is not your gateway that it can not get there.
-
here is my netstat output
-
your mask is /16 so 192.168.3 is on the same network… So no never going to sent traffic to pfsense to get there.