Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    From LAN 200.x/22 to DMZ 100.x/22 Connection Timeout

    Scheduled Pinned Locked Moved NAT
    7 Posts 2 Posters 427 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      howdoyouturn69
      last edited by howdoyouturn69

      Hello Team. Thanks for this great forum.

      I been trying for a while connect the LAN 200.x/22 to DMZ 100.x/22.

      This are the working configs so far:

      1- 2 wan configs. No balancing or failover, no group, no bridge.
      1- Firewall rules to LAN from any net to any. Default gateway wan1gb
      2- Firewall rules to DMZ from any net to restricted ports (ssd, rdp, database). Default gateway wan50mb. rfc1918 to reject direct access
      3- No-IP for wan50mb and wan1gb
      4- Port forward resolves external port and redirect to DMZ, multiple servers and services (web, ftp including passive ports, ssh, database, rdp)
      5- Outbound rules Manual Outbound NAT rule generation.
      (AON)
      6- LAN 200.x have gateway 200.1. Does ping to DMZ gateway
      7- DMZ 100.x have gateway 100.1. Does ping to LAN gateway
      8- OpenVPN working in LAN for regular traffic (browsing, etc...).
      9- Each interface is connected to it own NIC in the firewall (WAN1 igb0, wan2 igb1, dmz igb2, etc...).
      10- Dual NIC in servers to connect LAN and DMZ. This is temporary until I have access from LAN to DMZ

      Things that I cannot finish in this environment:

      1- Ping or connect from LAN to DMZ, considering LAN has any rule, and OpenVPN is disabled. DMZ has a rule to accept source any and destination DMZ net.
      2- None service in DMZ are accessible from LAN (ftp, ssh, database, rdp, web)
      3- From external connection, everything is working flawless. Not from LAN

      I been trying (but it gets confuses the official doc, or other info in forum)

      1- NAT reflection (it creates extra traffic, so is not a desirable solution, but acceptable if proven to be sufficient system load wise)
      2- Dns Split, but same NO-IP have different ports to different servers and services. Attach the domain address to 1 only ip address is not desirable either. Multi domain?

      Just to finish.

      What do I'm looking to do is:

      Connect LAN to DMZ (not opposite) and access services in DMZ, considering they're in different network/interface/netmask.

      Any idea about what do I'm missing?

      I do really appreciate any advice. Thanks for your help.

      Best Regards.

      PS: This is the first time I interact with pfsense, not a networking expert.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        @howdoyouturn69 said in From LAN 200.x/22 to DMZ 100.x/22 Connection Timeout:

        LAN 200.x/22 to DMZ 100.x/22.

        Please tell me you didn't just just pull those out of thin air to use, and your just hiding your actual public or rfc1918.. if rfc1918 - WHY?

        Out of the box with any any rule, your lan would be able to talk to anything on dmz, be it you had zero rules on dmz.. Only thing that would prevent lan from talking to dmz is dmz not using dmz IP of pfsense as its gateway, or its own local firewalls on devices.

        Unless on the lan your forcing traffic out a gateway? via the lan rules? If your forcing traffic out a gateway in lan via rule, then above that rule you would have to have an allow rule for the dmz net.

        1- Firewall rules to LAN from any net to any. Default gateway wan1gb

        That sounds like your forcing traffic out a gateway.. If so then you need a rule above that to allow access to dmz.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • H
          howdoyouturn69
          last edited by

          Yes, is hidden, just to give an idea about how wide the network is.

          If you mention the reject rfc1918 rule in DMZ, I read it in some forum, restrict the DMZ direct connection to outside world, except the defined one. Considering the response is automatic accepted in the same channel after the initial communication is established, example, from LAN to DMZ, and restrict initial comm from DMZ to LAN

          And yes, my idea is, DMZ has his own dedicated wan link, same to LAN. Si if somebody start downloading a video bio of ..... the servers does not suffer for the link saturation.

          So I place default gateway in Firewall rules, to the specific wan.

          Maybe this is the problem?

          IF so, then how do I route the traffic from LAN to his dedicate WAN (browsing), and the same for servers?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            @howdoyouturn69 said in From LAN 200.x/22 to DMZ 100.x/22 Connection Timeout:

            Maybe this is the problem?

            If your policy routing, then yes you need a rule above to allow access to the dmz.. Doesn't matter what the rules are on dmz, unless you want them to be able to create traffic into the lan.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            H 1 Reply Last reply Reply Quote 0
            • H
              howdoyouturn69 @johnpoz
              last edited by

              @johnpoz said in From LAN 200.x/22 to DMZ 100.x/22 Connection Timeout:

              @howdoyouturn69 said in From LAN 200.x/22 to DMZ 100.x/22 Connection Timeout:
              If your policy routing, then yes you need a rule above to allow access to the dmz.. Doesn't matter what the rules are on dmz, unless you want them to be able to create traffic into the lan.

              Then, it maybe the problem, but then, how do I route external traffic to his own wan?

              I have already a rule in Outbound saing Auto Created rule from LAN to WAN . This may route the internet traffic to his own wan? Instead of leech bandwidth from servers wan link?

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Because the rule above your any rule would be only to your dmz.. If not to the dmz or just your local networks, then it would drop to the next rule that allows any (internet) which would force it out your gateway you have in the rule.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • H
                  howdoyouturn69
                  last edited by

                  I follow the instructions, remove default gateway in firewall rules, to default.

                  I can see the firewall log it says allow (green check), however, still does not connect.

                  Any other idea?

                  Because I still can't do event ping between LAN and DMZ.

                  BTW: If I set "default" gateway in System/Routing, no LAN client can browse internet. Maybe something else is missing?

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.