Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    AON and bridging

    NAT
    1
    2
    1218
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Steve Mustafa last edited by

      We have a PFsense 1.2.3 firewall with 5 (2 WAN, 1 Lan, 1 DMZ , 1 Wireless) interfaces, and for some reason that is completely beyond my comprehension, access to the DMZ does not happen unless I bridge the DMZ with the LAN! This is driving me up the walls because it goes against every grain in my fiber of understanding!

      ASCII Art

      (Multiple S-IP, 1:1 NAT -> ARP VIPs)                                                                              10.0.0.0/24
      WAN 1 –------------------------               --------------------- DMZ -------------------- mx2 (10.0.0.9) | webserver (10.0.0.2)
                                                  |              |
                                                  |              |
                                                  --------PFSense -----------------LAN--------------------- Zillions of machines (192.168.0.0/16)
                                                  |              |
                                                  |              |
      WAN 2 --------------------------               --------------------- Wireless----------------- 169.254.10/24
      PPPoE (DHCP)

      (DMZ is referred to as Orange, Wireless as Blue and LAN as Green)

      Issues:

      1.    Clients on the Wireless subnet get DHCP from the FW, but cannot ping the outside world
      2.    If the DMZ is not bridged with the LAN, then there is no access from the outside world: (WAN -> DMZ) (even though there is an explicit rule for that)

      WAN -> DMZ rules are:  (This is on the WAN interface)

      Proto       Source Port Destination Port             Gateway Schedule                 Description

      TCP/UDP *         * WebServer 80 (HTTP)         *                                   NAT WAN -> Website (Orange) (HTTP)

      TCP/UDP *         * WebServer 443 (HTTPS) *                                   NAT WAN -> Website (Orange) (HTTPS)

      Advanced Outbound NAT is turned off. I tried to fiddle with that and completely screwed things up so I put that on hold until I know what I'm doing.

      In the near future, we're resetting up a server which will give us a new slice that will have another PFSense firewall for the second WAN (which currently is connected from the modem to a router to the WAN2) so that we can have a second gateway, purely for some LAN users.

      Ideas on how I can fix this?

      TIA

      1 Reply Last reply Reply Quote 0
      • S
        Steve Mustafa last edited by

        bump.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post