Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Weird behavior on my DMZ (VMWare ESXi related?)

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 4 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mox
      last edited by

      I don't know why, I'm having some weird problems on my DMZ where some machines cannot access other DMZ machines.

      My Setup is simple..
      I am running a server with VMWare ESXi

      pfsense have 3 interfaces (WAN, LAN and DMZ)

      On the VMWare side:
      WAN is on the vSwitch0 - Where I get A.B.C.67/255.255.255.224 from my ISP
      LAN is on the vSwitch1
      DMZ is on the vSwitch2

      My DMZ is bridged to the WAN.

      Here are the configs of the firewall/servers behind it.

      Firewall IP: A.B.C.67/27 <– VM
      Firewall GW: A.B.C.65

      DMZ Server IP (A): A.B.C.70/27 <-- VM
      DMZ Server IP (B): A.B.C.72/27 <-- Physical
      DMZ Server IP (C): A.B.C.73/27 <-- VM
      DMZ Server GW: A.B.C.65

      I have a rule under DMZ that let any DMZ Machine communicate with other DMZ Machines.

      Proto  Source  Port  Destination  Port  Gateway  Schedule  Description
      *        DMZ net *    *                *      *                          DMZ -> any

      How come when I go check the System Logs I see things like that:
      x  Oct 16 18:32:43  DMZ  A.B.C.73:1213  A.B.C.72:445  TCP
      x  Oct 16 18:37:18  DMZ  A.B.C.73:1243  A.B.C.70:445  TCP
      x  Oct 16 18:42:21  DMZ  A.B.C.70:1440  A.B.C.72:1433  TCP

      A.B.C.73 tries to communicate with A.B.C.72 or A.B.C.70 on port 445 and it's blocked.
      and A.B.C.70 tries tu communicate with A.B.C.72 on port 1433 and it's blocked.

      PS, I have enabled "Bypass firewall rules for traffic on the same interface"

      Please help me I'm about to become crazy!

      1 Reply Last reply Reply Quote 0
      • B Offline
        bman2883
        last edited by

        Try putting the DMZ in the same vswitch as the WAN, I don't think traffic passes between vswitches….

        1 Reply Last reply Reply Quote 0
        • L Offline
          louis-m
          last edited by

          with esxi, you can have as many vswitches as you want on different vlans. traffic will not pass between them. you need a router and that is where pfsense comes in.
          just slip a rule in there to allow traffic between your vlans on pfsense.

          1 Reply Last reply Reply Quote 0
          • A Offline
            alien8
            last edited by

            so, since your WAN gateway IP address and your DMZ gateway IP address are the same, I'm pretty sure you need to bridge your WAN and DMZ interfaces.

            you'll need to configure your network interfaces in ESXi to permit promiscuous mode in order for the bridging to work.

            I have a similar setup and had similar results until i figured out the issues with bridging and promiscuous mode.

            hope this helps.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.