[SOLVED] How to access to server in DMZ



  • Forgive my newbie question, but I'm learning to use pfSense.

    I have configured the DMZ and the LAN and now I can:

    • Surf the Internet from PCs in the LAN and from the server in DMZ
    • Make updates.
    • PING on PC / Server and on the Firewall network cards.

    So I am satisfied.

    What I would like to do now is to access the HTTP server located in the DMZ from Internet.
    I created the rule like in this screenshot; it comes from the rules that I use in the LAN and DMZ sections, but evidently this rule is not enough.
    I haven't even figured out how to configure a Port Forward, if that's what I have to do.

    In this test environment the server manages HTTP, HTTPS, Mail, FTP, Slave DNS servers.
    Tomorrow I will create different servers for each service


    "LS1" is an alias with the server address.
    "Web" is an alias for 80 & 443 ports.


  • LAYER 8 Netgate

    Source WAN net is not "the internet." Source any is "the internet."

    You probably need a port forward as well unless you have routed, public IP addresses on the DMZ interface.



  • The router has a port forward 80 on the pfSense WAN network card.
    I have changed the rule from WNA net to WAN address.
    Nonetheless:

    • in pfSense / Diagnostic / Test Port from WAN to the server address in DMZ replies with: "No output received, or connection failed. Try with" Show Remote Text "unchecked first."
    • With https://www.yougetsignal.com/tools/open-ports/ on the public address, the port 80 is closed

    This is the new snapshot of the rules in WAN and the one in DMZ.

    alt text

    alt text

    I was wondering, if the access from 192.168.0.0 is blocked by default in WAN, how does it accept traffic from the router if the rule is after that of the block?



  • @WhiteTiger-IT said in How to access to server in DMZ:

    I have changed the rule from WNA net to WAN address.

    Why?



  • @Bob-Dig said in How to access to server in DMZ:

    @WhiteTiger-IT said in How to access to server in DMZ:

    I have changed the rule from WNA net to WAN address.

    Why?

    Because initially the rule was from WAN Net, now from WAN Address.
    Which is the right rule?



  • @WhiteTiger-IT When staff give you a hint, better do it. 😉

    @Derelict said in How to access to server in DMZ:

    Source WAN net is not "the internet." Source any is "the internet."



  • @WhiteTiger-IT

    What we call ourselves, (of their own free will) WAN or WAN Net, etc. is not equal with internet access ✌

    the solution is this:

    @Derelict " Source any is "the internet."



  • @DaddyGo
    @Derelict
    @Bob-Dig

    Now in WAN there is only the rule
    Source ANY to Alias-Server in DMZ for Alias-Port (80 + 443)

    41/5000
    I have left the other rules (in LAN and DMZ) unchanged, but yet I don't reach the Apache server in DMZ and ports 80 + 443 are closed from the Internet with this link

    Do I need to add a Port Forward?
    I already have a port forward for ports 80 + 443 on the pfSense WAN card.

    Forgive my inexperience, but it is the first time that I work with pfSense and I create rules in a firewall.
    I read the online manual and a couple of PDFs that I found on the net, but as regards the configuration of pfSense to manage a server in the DMZ I have not found anything that can help me.

    If you can direct me to another reading, I am giving it to you



  • @WhiteTiger-IT Show us the Port Forward-rule and the WAN-rule and while you are at it, the rest again.



  • In pfSense there are no port forwarding rules, only the two automatically created in Outbound.
    This is the WAN screenshot about rules.
    alt text

    This is the screenshot of the router
    alt textt



  • @WhiteTiger-IT In a normal setup, your router would forward those or any ports to the pfSense WAN-Interface and then you would need to port froward from there to your actual server. So you would need to portforward in pfSense too, doing double-NAT. But maybe your setup is different, but you haven't told us in your first post.



  • @Bob-Dig said in How to access to server in DMZ:

    @WhiteTiger-IT In a normal setup, your router would forward those or any ports to the pfSense WAN-Interface and then you would need to port froward from there to your actual server. So you would need to portforward in pfSense too, doing double-NAT. But maybe your setup is different, but you haven't told us in your first post.

    I am now starting to configure pfSense in my "personal laboratory" to learn how to use it.
    The rules entered are those that I also viewed in previous posts. There are no other rules and these are used to access the server from my PC and to make updates.
    These are rules that I took from the official help.
    In DMZ there is an Apache with only the default page, to do the tests I think it is enough.



  • @WhiteTiger-IT So you haven't changed any settings in pfSense (System - Advanced - Firewall & NAT), then pfSense is its own router and you have to do double-NAT, like I said.



  • @Bob-Dig said in How to access to server in DMZ:

    So you haven't changed any settings in pfSense (System - Advanced - Firewall & NAT), then pfSense is its own router and you have to do double-NAT, like I said.

    I have now created this NAT Port Forward rule.
    Is this what you mean?
    alt text



  • @WhiteTiger-IT More like this:
    Capture.PNG



  • I changed the NAT rule and didn't use aliases.
    But now using the URL http: // IP-Address I get the Tunnel Connection Failed error

    alt text



  • Using a DDNS I get the error Connection Timed out
    I don't find error in Syslog / Firewall



  • Last week I contacted the ISP that manages the firewall; they told me that they were no problems and that is pfSense not to have the ports open.
    How can I check if it is true?
    I can only use tools on the Internet and this tells me that the doors are closed on the public address.
    If from pfSense Diagnostic I ping from WAN on the server, it doesn't work, but maybe this is not enabled.



  • AAARGHHHH!
    DAMNED DHCP THAT CHANGED THE ADDRESS OF THE WAN CARD!

    Everything is working!
    I apologize very much and thank you for your support and patience!


Log in to reply