Multi Wan & DMZ problem: cannot exit from the DMZ
I'm really locked and can't get my pfsense box working as I desire. This is the setup:
- LAN (rl0) interface = 192.168.1.0/24
- WAN1 (re1) with a specific domain and router
- WAN2 (re2) with a specific domain and router
- WAN3 (re3) with a specific domain and router
- DMZ (re0) interface = 192.168.245.0/24 without any router in the interface definition
Now, I'd like to have the following setup working:
- load balancing with the aggregation of WAN1, WAN2, WAN3 (this is working now)
- port forwarding and NAT between the DMZ and the WAN2 (this is not working now).
I've followed instructions here http://doc.m0n0.ch/handbook-single/#id2604946 without any success.
Now, to enable the DMZ I've set up an interface with the address 192.168.245.7 without a gateway. If I leave the Outbound NAT automatic I can exit the DMZ and reach any other node, but thru the Load Balancing pseudo interface, so this is not what I need since I'd like to have DMZ natted on the WAN2 interface. So I've chosen the manual configuration for outbound and created a virtual IP with the WAN2 address, created a rule for natting on such address and … the DMZ is no more working. I cannot ping any address from the DMZ, I cannot make a dns lookup and cannot browse the web. I suspect this is due to the "null" router set up on the DMZ interface, so I've tried to set up a rule in the DMZ Firewall rule set that allows to pass the traffic on such interface thru another gateway (I've tried the WAN aggregation by the load balancer) but even so it is not working.
I've checked the firewall and it is allowing the traffic generated from the DMZ, and in fact I don't see any blocked packet from the DMZ.
Now checking the nat rules from the command line, this is what I've got with the manual outbound configuration:
nat on re0 inet from 192.168.245.0/24 to any -> 18.104.22.168 port 1024:65535
that seems correct, while in the case of automatic nat I've got:
nat on re3 inet from 192.168.245.0/24 to any -> (re3) port 1024:65535 round-robin nat on re1 inet from 192.168.245.0/24 to any -> (re1) port 1024:65535 round-robin nat on re2 inet from 192.168.245.0/24 to any -> (re2) port 1024:65535 round-robin
The difference between the two is that the first case the nat is only on the re0 interface, that is the DMZ, while in the other case I've got the nat on all interfaces except the DMZ one. Since the first case seems correct to me, I guess the problem is the null gateway of the re0.
I'm sure I'm doing something wrong, or maybe what I'm trying to achieve is simply not possible. Anyone can help me on this? I'm really having hard times….
I've checked also the guide at http://digitalphotomac.com/PFsense/DMZ/ and cannot see what is the difference with my setup. :(
I've tried to place one of the gateway in the firewall rule for the DMZ-> internet, so that it should be forced to use such gateway thru the corresponding interface. However, even if I can see in the firewall logs the traffic outgoing I cannot see any traffic incoming and nothing blocked from the firewall itself.
Any idea on how to investigate the problem?
Uhm..I discovered another strange thing that maybe the cause of the not-working DMZ: if I go to the ping maintenance menu and then try to ping an external host from all my WANs, I got it working only from the main WAN, even if the load balancer says that the interfaces are running (this is because they can ping their router). So maybe I've got to solve this connectivity problem first, and then to try again with the DMZ.
Now, if I try to ping from the pfsense command line an external host forcing a routing I've got no answer:
# ping -S XX.XX.XX.137 www.google.com PING www.l.google.com (22.214.171.124) from 126.96.36.199: 56 data bytes ^C --- www.l.google.com ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss
and of course a route to www.google.com is done thru the default interface:
# route get www.google.com route to: mil01s07-in-f104.1e100.net destination: default mask: default interface: re3 flags: <up,gateway,done,static>recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1500 0</up,gateway,done,static>
the interface re3 is my primary WAN.
It turned out I had a problem with the WAN my machine should use: I was able to exit the DMZ using another WAN with the NAT working fine, so I investigated and found that the router was blocking even the pfsense machine >:(
A colleague of mine had changed the NAT of the router from none to MUA…..changing it back to none makes the pfsense and DMZ working fine! ;D