• Hi forum
    I'm having a CentOS webserver in DMZ.
    pfSense has DMZ firewall rule to allow IPv4+6 * protocol to WAN net
    When trying to update CentOS using yum update, I gets the following error :

    # yum update
    Loaded plugins: fastestmirror
    Setting up Update Process
    Loading mirror speeds from cached hostfile
    Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=6&arch=x86_64&repo=os&infra=stock error was
    14: PYCURL ERROR 7 - "Failed to connect to 2604:1380:1001:6c00::1: Network is unreachable"
    Error: Cannot find a valid baseurl for repo: base

    I can ping mirrorlist.centos.org from server in DMZ.
    I can yum update from server/s in LAN.
    Is there something else I need to do to pfSense to enable updates from server/s in DMZ ?
    Or perhaps there's a problem with centos mirrorlist that will resolve itself with time ?

    Thanks for any tips or clues.


  • Hi,

    Observe your LAN firewall rules.
    Make sure you have identical rules on your DMZ interface.
    You'll break somewhat your DMZ concept, but ... you'll be having access to the Internet from the DMZ network.
    From there, start restricting your DMZ rules, step by step.

    @bgroper said in yum update from DMZ ?:

    pfSense has DMZ firewall rule to allow IPv4+6 * protocol to WAN net

    That's not clear at all.
    One simple check somewhere that you didn't mention could "make it or break it".

    This :

    to WAN net
    

    That's what your have as a destination ?
    I advise you strongly to look up what WAN net actually is (noop, it's not what you think it is ;) )

    These are my final 4 rules for something that could be a DMZ zone :

    b75a6830-90e5-41cd-b715-ef26324dfc2b-image.png

    1. I don't want Portal visitors to 'do yhings' with my WAN network (as you figured out by now, that my WAN network, which isn't equivalent to 'The Internet').
      2 ) Neither have access to my LAN network.
    2. Not OPENVPN network.
    3. Still here ? then ok, go ...

  • "WAN net" is the local subnet of the WAN interface, not the entire Internet.

    Thank you all for your replies but this is the one that really answered my question. I had wrongly assumed that packets passed to the WAN interface would be routed out to the internet.
    See
    https://forum.netgate.com/topic/70611/permit-traffic-from-opt1-net-to-wan-net-wan-net-in-rule-not-working