DMZ though ISP router
-
Unfortunately with my ISP i have to use their router. It does not support bridge mode but it does allow DMZ to one device. I have public ip on pfsense interface.
Problem is that i can only access to port 443 from outside. It is 0 packets, if i try some other port. Example, pics 1 and 2.
My ISP told me that i must to do a port forwarding. Unfortunately, i do not understand that i must to forward, if i have 0 packets on port 80 or 22. I can not setup IPsec or ssh. It is not possible to access pfsense from outside.
ISP told that it is clean on their way, no bugs etc.
Can any one explain me, that they bear in mind port forwarding?Thanks for help.
-
@Danil-0 said in DMZ though ISP router:
I have public ip on pfsense interface
Doesn't match your :
@Danil-0 said in DMZ though ISP router:
It does not support bridge mode but it does allow DMZ to one device.
DMZ (IMHO) : everything - port by port, is natted to the device decalred as the DMZ device, which is normally the IP of pfSense.
As your pfSense has a public IP on its WAN, all traffic already arrives on your pfSense WAN.
Your ISP router isn't behaving as a router, but as a 'bridge'.After seen this :
I have to ask : what are your your WAN firewall rules ?
By default, there are no rules which means that de hidden rule '1000000103' blocks any incoming requests.
If you let pass https (port 443 TCP traffic) you have to add a pass rule for that.
Same for ssh.Btw : this is considered very bad practice.
Normally, you should activate an (example) OpenVPN server, and use the OpenVPN access to access pfSEnse or other LAN based devices.edit : same thing for 'ping' (protocol ICMP) : you have to set up a pass rule on the WAN interface so pfSense can receive ICMP packets, and thus answer.
-
This post is deleted! -
@Danil-0
Maybe you have to open additional ports on the ISP router even you have set the DMZ. -
This post is deleted! -
That's a no--go.
This rule is placed on WAN interface.
Traffic coming into your WAN interface originates form the internet.
Fact : You can't receive 'from' the Internet RFC1918 (like 192.168.1.0/24 etc)
Or, "LAN Address" is an alias that contains your RFC1918 - the 192.168.3xxxxResult : this rule will never match (thus pass) any traffic.
The state counters will stay at 0/0 forever.
Change the "LAN Address" for "WAN address" and suddenly things start to work : the rule starts to pass traffic.Again : normally, you should never do this.
If you don't know much about firewall : you should never do this. -
@Gertjan said in DMZ though ISP router:
Again : normally, you should never do this.
I know that i'm not do normal this. It is testing time :), i understand that it is not possible keep open :). it is auto added rule, when i made port forwarding, here is pics:
Since it do not change anythink, important is that packets pass on 443 port but not others.@Gertjan said in DMZ though ISP router:
The state counters will stay at 0/0 forever.
Exactly, sorry, it was my mistake but I made screen before i start scaning because it is not my first test set up so it it long time that i testing it :). Below is screen that i make now:
-
This :
is ... undocumented / new / strange at least.
You redirect to "LAN Address", something like 192.168.1.1/24 ? but I'm not sure.
Like : traffic comes into WAN, goes through pfSense, is natted to 192.168.1.1, to go back into pfSense ??
The help text says : enter an IPv4 == the device you want to redirect to.
Or use an alias that contains an IPv4.Like :
This one works ^^
-
@Gertjan It is issue on ISP way, thanks for your time ;).
-
@Gertjan It was standard sutiations, ISP support didn't understood pfsense so they told me that i must make port forward like on ptlink
but issue was that they forgotten disable firewall on router. Since it was on bridge mode but firewall blocked input.
