From LAN 200.x/22 to DMZ 100.x/22 Connection Timeout

howdoyouturn69

Hello Team. Thanks for this great forum.

I been trying for a while connect the LAN 200.x/22 to DMZ 100.x/22.

This are the working configs so far:

1- 2 wan configs. No balancing or failover, no group, no bridge.
1- Firewall rules to LAN from any net to any. Default gateway wan1gb
2- Firewall rules to DMZ from any net to restricted ports (ssd, rdp, database). Default gateway wan50mb. rfc1918 to reject direct access
3- No-IP for wan50mb and wan1gb
4- Port forward resolves external port and redirect to DMZ, multiple servers and services (web, ftp including passive ports, ssh, database, rdp)
5- Outbound rules Manual Outbound NAT rule generation.
(AON)
6- LAN 200.x have gateway 200.1. Does ping to DMZ gateway
7- DMZ 100.x have gateway 100.1. Does ping to LAN gateway
8- OpenVPN working in LAN for regular traffic (browsing, etc...).
9- Each interface is connected to it own NIC in the firewall (WAN1 igb0, wan2 igb1, dmz igb2, etc...).
10- Dual NIC in servers to connect LAN and DMZ. This is temporary until I have access from LAN to DMZ

Things that I cannot finish in this environment:

1- Ping or connect from LAN to DMZ, considering LAN has any rule, and OpenVPN is disabled. DMZ has a rule to accept source any and destination DMZ net.
2- None service in DMZ are accessible from LAN (ftp, ssh, database, rdp, web)
3- From external connection, everything is working flawless. Not from LAN

I been trying (but it gets confuses the official doc, or other info in forum)

1- NAT reflection (it creates extra traffic, so is not a desirable solution, but acceptable if proven to be sufficient system load wise)
2- Dns Split, but same NO-IP have different ports to different servers and services. Attach the domain address to 1 only ip address is not desirable either. Multi domain?

Just to finish.

What do I'm looking to do is:

Connect LAN to DMZ (not opposite) and access services in DMZ, considering they're in different network/interface/netmask.

Any idea about what do I'm missing?

I do really appreciate any advice. Thanks for your help.

Best Regards.

PS: This is the first time I interact with pfsense, not a networking expert.

johnpoz

@howdoyouturn69 said in From LAN 200.x/22 to DMZ 100.x/22 Connection Timeout:

LAN 200.x/22 to DMZ 100.x/22.

Please tell me you didn't just just pull those out of thin air to use, and your just hiding your actual public or rfc1918.. if rfc1918 - WHY?

Out of the box with any any rule, your lan would be able to talk to anything on dmz, be it you had zero rules on dmz.. Only thing that would prevent lan from talking to dmz is dmz not using dmz IP of pfsense as its gateway, or its own local firewalls on devices.

Unless on the lan your forcing traffic out a gateway? via the lan rules? If your forcing traffic out a gateway in lan via rule, then above that rule you would have to have an allow rule for the dmz net.

1- Firewall rules to LAN from any net to any. Default gateway wan1gb

That sounds like your forcing traffic out a gateway.. If so then you need a rule above that to allow access to dmz.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.

howdoyouturn69

Yes, is hidden, just to give an idea about how wide the network is.

If you mention the reject rfc1918 rule in DMZ, I read it in some forum, restrict the DMZ direct connection to outside world, except the defined one. Considering the response is automatic accepted in the same channel after the initial communication is established, example, from LAN to DMZ, and restrict initial comm from DMZ to LAN

And yes, my idea is, DMZ has his own dedicated wan link, same to LAN. Si if somebody start downloading a video bio of ..... the servers does not suffer for the link saturation.

So I place default gateway in Firewall rules, to the specific wan.

Maybe this is the problem?

IF so, then how do I route the traffic from LAN to his dedicate WAN (browsing), and the same for servers?

johnpoz

@howdoyouturn69 said in From LAN 200.x/22 to DMZ 100.x/22 Connection Timeout:

Maybe this is the problem?

If your policy routing, then yes you need a rule above to allow access to the dmz.. Doesn't matter what the rules are on dmz, unless you want them to be able to create traffic into the lan.

howdoyouturn69

@johnpoz said in From LAN 200.x/22 to DMZ 100.x/22 Connection Timeout:

@howdoyouturn69 said in From LAN 200.x/22 to DMZ 100.x/22 Connection Timeout:
If your policy routing, then yes you need a rule above to allow access to the dmz.. Doesn't matter what the rules are on dmz, unless you want them to be able to create traffic into the lan.

Then, it maybe the problem, but then, how do I route external traffic to his own wan?

I have already a rule in Outbound saing Auto Created rule from LAN to WAN . This may route the internet traffic to his own wan? Instead of leech bandwidth from servers wan link?

johnpoz

Because the rule above your any rule would be only to your dmz.. If not to the dmz or just your local networks, then it would drop to the next rule that allows any (internet) which would force it out your gateway you have in the rule.

howdoyouturn69

I follow the instructions, remove default gateway in firewall rules, to default.

I can see the firewall log it says allow (green check), however, still does not connect.

Any other idea?

Because I still can't do event ping between LAN and DMZ.

BTW: If I set "default" gateway in System/Routing, no LAN client can browse internet. Maybe something else is missing?