Simple DMZ, cannot lookup DNS



  • Hey,

    I got my pfsense working and I got a LAN, WAN and DMZ interface.
    The LAN should be able to ssh to the DMZ, but not the other way around.
    The DMZ should be able to connect to the Internet, but not to the LAN.

    The idea behind that is, a webserver should be in the DMZ later on and I should be able to connect from the internet to the webserver, but not the LAN.
    The LAN should be separated, and save from the internet and the DMZ.

    I can connect from LAN to DMZ.
    I can ping ip addresses in the internet from DMZ, but I can't lookup google.com for example.
    From a machine inside the DMZ:

    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=60 time=15.4 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=60 time=14.9 ms
    64 bytes from 8.8.8.8: icmp_seq=3 ttl=60 time=14.8 ms
    64 bytes from 8.8.8.8: icmp_seq=4 ttl=60 time=15.3 ms
    64 bytes from 8.8.8.8: icmp_seq=5 ttl=60 time=15.0 ms
    

    ping google.com doesn't work, no answer.

    How do I have to set/change my rules?
    Rules are attached.

    Edit:
    DMZ subnet is 192.168.3.1/24
    LAN is 192.168.1.1/24

    Machine inside DMZ:
    IP 192.168.3.117
    Gateway 192.168.3.1
    DNS 192.168.3.1
    Submask 255.255.255.0

    ![DMZ rules.png](/public/imported_attachments/1/DMZ rules.png)
    ![DMZ rules.png_thumb](/public/imported_attachments/1/DMZ rules.png_thumb)
    ![LAN rules.png](/public/imported_attachments/1/LAN rules.png)
    ![LAN rules.png_thumb](/public/imported_attachments/1/LAN rules.png_thumb)



  • I sorted it out myself.
    I had to add a rule to DMZ and allow UDP traffic to port 53(DNS) from the DMZ to 192.168.1.1(DNS Server).
    Is this the best way to do it? Right? Is this safe?



  • The best way is to configure the DNS resolver or forwarder to listen also on DMZ interface and add a rule to DMZ to allow the access to the interface address (dest = this firewall).


  • LAYER 8 Global Moderator

    Since dns uses mostly UDP then yes you need to allow that on port 53.  To wherever you might have a device pointing to for dns.  You should also allow tcp for 53, since it is possible for dns to require use of tcp.


Log in to reply