Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help getting basic rules working

    Scheduled Pinned Locked Moved Firewalling
    20 Posts 5 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jakobud
      last edited by

      I just installed pfSense.  Mostly default settings so far.  Nothing fancy.  I have the following interfaces:

      WAN (internet/modem) - 10.1.10.2
      LAN (our network) - 10.20.0.100
      DMZ (our DMZ network) - 192.168.10.100

      I'm on a computer on the LAN, trying to SSH to a computer in the DMZ.  In the pfSense Firewall Log I can see this:

      X	May 17 19:30:11	LAN		10.20.0.140:60321		192.168.10.20:22		TCP:S
      
      

      So thats my computer (10.20.0.140) trying to SSH (port 22) to 192.168.10.20.  When I click the "X" it says

      
      The rule that triggered this action is:
      @65 block drop in log quick all label "Default deny rule"
      

      That's about what I expected.

      So next I went to Firewall > Rules > LAN and made the following rule

      Proto: *
      Source: LAN net
      Source Port: *
      Destination: DMZ net
      Destination Port: *
      Gateway: *
      Desc: Lan -> DMZ

      So this should allow anything on the LAN to access anything on the DMZ correct?  For some reason it's still not letting my computer through via SSH.  It's the only rule I have on there.

      What am I missing here?

      1 Reply Last reply Reply Quote 0
      • B
        bjh4
        last edited by

        Did you make sure you applied the changes?  Did you try a different gateway like default?

        1 Reply Last reply Reply Quote 0
        • J
          Jakobud
          last edited by

          That is the default value for gateway.  Yes I hit Apply Changes.

          1 Reply Last reply Reply Quote 0
          • B
            bjh4
            last edited by

            what about the including reverse rule allowing the source DMZ to talk to the destination LAN.

            1 Reply Last reply Reply Quote 0
            • J
              Jakobud
              last edited by

              @bjh4:

              what about the including reverse rule allowing the source DMZ to talk to the destination LAN.

              Ya, still not working.  Okay I changed it up a bit.  This is exactly what I have now:

              LAN:

              Proto  	Source  	  				Port  	  		Destination  	  	  		Port  	  		Gateway  	Schedule  	Description  	
              TCP  		LAN address 				22 (SSH)  	  	Interface IP address 	22 (SSH) 	  	* 	  	  	  	  	  	LAN -> DMZ SSH
              

              DMZ:

              Proto  	Source  	  				Port  	  		Destination  	  	  		Port  	  		Gateway  	Schedule  	Description  	
              TCP  		Interface IP address 	22 (SSH)  	  	LAN address 				22 (SSH) 	  	* 	  	  	  	  	  	DMZ -> LAN SSH
              

              Seems pretty straightforward…. Why isn't it working?  These are my only rules....

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                Rules only have an effect on the interface on which a connection is started.
                So all rules on the DMZ interface do absolutely nothing for connections comming
                from the LAN.
                Your error is: you've set in the rule as source "LAN-address"
                this means exactly that: the address of the pfsense on the LAN.
                I dont think you create the ssh connection from
                the pfsense itself, so you should change that to LAN-subnet.
                The source-port is always a random number > 1024 and < 65536.
                You've fixed it to 22 which will never happen.
                The destination is interface address again. This has to be the address of the server
                itself.

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  You should start with allowing everything to everything on LAN and the same on DMZ, tighten the rules later when you get hang of the system.

                  Interface address and LAN address mean just what they say, the single ip address assigned to the interface, not the whole subnet connected to the interface. What you want instead is LAN subnet and DMZ subnet if you want to limit by destination in a firewall rule.

                  1 Reply Last reply Reply Quote 0
                  • J
                    Jakobud
                    last edited by

                    Ah okay that makes sense.  I'll change it up now and get back to you guys.  Thanks for the help.  I assumed "LAN Address" mean't "Coming from a LAN Address" :-P

                    1 Reply Last reply Reply Quote 0
                    • J
                      Jakobud
                      last edited by

                      Bah, still not working.  This is what I have:

                      LAN:

                      Proto  	Source		Port		Destination	Port		Gateway		Schedule		Description  	
                      *  			LAN net 	* 	  		* 				* 	  		* 	  	  	  	 		 	  	LAN > Anywhere
                      
                      

                      DMZ:

                      Proto  	Source		Port		Destination	Port		Gateway		Schedule		Description  	
                      *  			DMZ net 	*  	  		* 				* 	  		* 	  	  	  	  	  			DMZ > Anywhere
                      

                      lol I'm not sure how it could be more wide open.  Still not able to SSH to that server in the DMZ.  Does that server need to have its default gatway set to the pfSense firewall?

                      Another note, I can't even connect to the internet through my machine.  Also, I can't ping anything in the DMZ.

                      1 Reply Last reply Reply Quote 0
                      • K
                        kpa
                        last edited by

                        Post screenshots of status->interfaces and diagnostic->routes (just the ipv4 part of routes is enough). Blank out any public ip addresses in your screenshots if you don't want to reveal them.

                        1 Reply Last reply Reply Quote 0
                        • J
                          Jakobud
                          last edited by

                          Okay I got the internet working.  My subnet mask bit for WAN and DMZ was not set to /24 by default.  After changing that, I could access the internet.  Still no dice on SSHing to the DMZ servers.

                          • I'm able to SSH to 192.168.10.100 (the address of the pfSense DMZ interface), but not other servers in 192.168.10.X

                          • I'm able to get DNS resolves from our DMZ server which is located in the DMZ

                          • Can't ssh to DMZ servers from my computer in the LAN

                          • Can't ping DMZ servers from my computer in the LAN

                          • I CAN successfully ping DMZ servers from my pfSense machine (via web interface or command-line)

                          Screenshots otw…

                          1 Reply Last reply Reply Quote 0
                          • J
                            Jakobud
                            last edited by

                            Now these routes…. I didn't actually set these up anywhere.  Are they automatically generated or something?

                            10.20.0.140 is the computer I'm testing from.  It's gateway is set to 10.20.0.100, the pfSense LAN interface
                            10.20.0.141 is the computer I'm currently typing on.  It's gateway is our old/existing firewall
                            10.1.10.1 is the Comcast Business Cable Modem

                            192.168.10.11 I think is our mail server.
                            192.168.10.18 and 192.168.10.20 are our DNS servers.  These are the machines I've been trying to SSH to from 10.20.0.140.

                            Clear as mud?  Thanks for the help by the way.  Once I get the hang of pfSense I don't think it will be a problem.  Just trying to get past these initial hurdles...

                            1 Reply Last reply Reply Quote 0
                            • K
                              kpa
                              last edited by

                              Change the computer you're using to ping the DMZ hosts to use pfSense as it's default gateway and it should start working.

                              1 Reply Last reply Reply Quote 0
                              • J
                                Jakobud
                                last edited by

                                The pfSense LAN interface is 10.20.0.100.  My computer in the LAN already has 10.20.0.100 as its one and only gateway.  I'm sorry am I misunderstanding something?

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kpa
                                  last edited by

                                  Ah sorry, getting tired…

                                  Are the hosts on DMZ using the DMZ interface address as their default gateway?

                                  Try a traceroute or mtr from a LAN host to one of the DMZ hosts.

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    Jakobud
                                    last edited by

                                    Ah, no the DMZ servers do NOT have their gateway set to the pfSense box.  I guess I figured since I could SSH from pfSense directly to a DMZ server, that it didn't matter if I was trying to do the same thing from a computer on the LAN.

                                    So, hopefully that is the problem, but I don't really have a good way to test it at the moment.  This is a network for a small business and currently the DMZ servers have their gateway set to the existing firewall.  I can't just switch it without causing some mayhem with the business traffic.  Is there anyway I can add a secondary gateway or something like that on the servers so I can continue my testing?

                                    Trying to replace a firewall for a business is like trying to change the tires on a moving car :-)

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      kpa
                                      last edited by

                                      Yeah that explains it, the existing firewall does not know what to do with the return traffic destined to pfSense LAN and discards it. A static route on this firewall that directs traffic to network 10.20.0/24 to ip address 192.168.10.100 would solve the problem.

                                      Edit: Setting the same static route on DMZ hosts individually accomplishes the same in case this existing firewall does not allow setting of static routes.

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        Efonnes
                                        last edited by

                                        Unless the purpose is only to access the DMZ servers from LAN, there isn't any other reason to have that DMZ network even connected to the router in your current configuration, since they cannot use it for anything else in that configuration.  If they are supposed to be able to accept connections from over the internet through that router, they need it set as the default gateway.

                                        Note: If you want to route inbound connections on that router to the DMZ servers, there is actually a workaround using outbound NAT rules, but it does have a side effect of the servers not being able to know where the traffic came from.

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          Jakobud
                                          last edited by

                                          @Efonne:

                                          Unless the purpose is only to access the DMZ servers from LAN, there isn't any other reason to have that DMZ network even connected to the router in your current configuration, since they cannot use it for anything else in that configuration.  If they are supposed to be able to accept connections from over the internet through that router, they need it set as the default gateway.

                                          Yup, the existing config is very simple but its only temporary.  I'm just learning the ins and outs of pfSense here.  Eventually I'll lock it down much more once I'm more confident and move toward actually using pfSense as the company firewall.

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            Efonnes
                                            last edited by

                                            If you only want to allow connections to DMZ and don't need connections from DMZ, but if you also don't want to change anything on your production firewall yet, you could actually even add an outbound NAT rule to NAT all traffic that goes to the DMZ network.  To do so, just create an outbound NAT rule on the DMZ interface from all to all (or from all to DMZ network if you have the subnet set to match already).  Then you should be able to access all of the systems on the DMZ network, for access from LAN, port forwards, or 1:1 mappings.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.