Cannot access DMZ server from LAN
-
Re: Can't access DMZ from LAN
Hi, I am trying to setup a pfsense infraestructure with a typical DMZ and LAN. I can ping DMZ gateway but not DMZ hosts from LAN. I did sniff LAN interface and DMZ interface and captured packages so I think it is working correctly. I do not know if it is a server firewall problem but I have disables firewalld from my CentOS server and it does not even work. -
@natanaelmm29 said in Cannot access DMZ server from LAN:
captured packages so I think it is working correctly
So you captured packets on dmz interface while you were pinging from lan? If you see the ping go out to the IP of your device in your dmz.. There are 3 possible things off the top of my head.
Firewall on the dmz device
dmz device not using pfsense as its gateway
dmz device has mask wrong, and thinks IP is local so doesn't send response back to pfsense.Unless you have some floating rules blocking access to your dmz, if you can ping the pfsense dmz IP from your lan.. Your lan rules are most likely correct, unless you have some rules only allowing that and not to the dmz network or any. The default rules on lan are any any.
And since the return traffic would be allowed by the state there really is no rule on dmz you could put that would block the return traffic. You could have zero rules on your dmz and lan if allowed could still talk to device in dmz
Other possible issue would be routing your traffic out your lan to some gateway or vpn.. But if that was the case you wouldn't see traffic when sniffing on your dmz interface from your lan.
-
@johnpoz Hi, thank you for helping, just now I used tcpdump to capture packages at the IP address of my server and the requests are correctly arriving. However, It does not response
-
@natanaelmm29 I don't see a response to your arp request..
arp would work no matter what your firewall on said device or pfsense would be. But I don't see any response.
this was on the device in your dmz?
Where exactly did you sniff that? That first 10.0.2.200 port 56952 to localhost.localdomain on port 443 Syn [S] doesn't make a lot of sense.. Who is 10.0.2.200 and why is it trying to talk to your box on 443?
What IPs are you using, what is your lan network, what is your dmz network
edit: prob be easier to read you tcpdump if you use -n so it does use localhost.localdomain which is hard to know what IP that is.
-
@johnpoz Hi again and sorry for my explanation. I have a host inside LAN with 10.0.2.200 and a web server on the DMZ with 10.0.3.13. So I am trying to reach the web server from the LAN host, because from WAN I can correctly access.
- I have firewalld disabled on DMZ web server
- DMZ is using 10.0.3.1 gateway as it is a pfsense interface and it is working properly as I can reach the web server from outside WAN
- I have configured al IP addresses with 24 mask
- I have no floating rule
- In LAN rules I have: Source-LAN net * ports, destination-DMZ net * ports allowed
I dont really know what is happening to be honest and apparently all should be ok.
-
And the pcap above was taken on 10.0.3.13?
-
@stephenw10 yes!
-
Then why is it ARPing for 10.0.2.200? It would only do that if it thinks it's in the same subnet, which it isn't if the subnet is actually a /24.
It looks like 10.0.3.1 has the wrong subnet mask.
Steve
-
@natanaelmm29 as @stephenw10 mentions that doesn't make a lot of sense.
Did you set the mask manually? Pfsense wouldn't/shouldn't let you create networks that overlap..
So looks like your issue is 3rd possible on my list..
dmz device has mask wrong, and thinks IP is local so doesn't send response back to pfsense.
-
@johnpoz and @stephenw10 so thankful for this. I configured IP address for DMZ host manually modifying the specific file and put 255.255.0.0 mask instead of /24. Thank you very much, I fixed it and now it all works fine. Regards from Canary Islands, Spain hahaha
-
@natanaelmm29 said in Cannot access DMZ server from LAN:
specific file and put 255.255.0.0 mask instead of /24
Yup that would do it ;)
Glad you got it sorted.
