AON and bridging
-
We have a PFsense 1.2.3 firewall with 5 (2 WAN, 1 Lan, 1 DMZ , 1 Wireless) interfaces, and for some reason that is completely beyond my comprehension, access to the DMZ does not happen unless I bridge the DMZ with the LAN! This is driving me up the walls because it goes against every grain in my fiber of understanding!
ASCII Art
(Multiple S-IP, 1:1 NAT -> ARP VIPs) 10.0.0.0/24
WAN 1 –------------------------ --------------------- DMZ -------------------- mx2 (10.0.0.9) | webserver (10.0.0.2)
| |
| |
--------PFSense -----------------LAN--------------------- Zillions of machines (192.168.0.0/16)
| |
| |
WAN 2 -------------------------- --------------------- Wireless----------------- 169.254.10/24
PPPoE (DHCP)(DMZ is referred to as Orange, Wireless as Blue and LAN as Green)
Issues:
1. Clients on the Wireless subnet get DHCP from the FW, but cannot ping the outside world
2. If the DMZ is not bridged with the LAN, then there is no access from the outside world: (WAN -> DMZ) (even though there is an explicit rule for that)WAN -> DMZ rules are: (This is on the WAN interface)
Proto Source Port Destination Port Gateway Schedule Description
TCP/UDP * * WebServer 80 (HTTP) * NAT WAN -> Website (Orange) (HTTP)
TCP/UDP * * WebServer 443 (HTTPS) * NAT WAN -> Website (Orange) (HTTPS)
Advanced Outbound NAT is turned off. I tried to fiddle with that and completely screwed things up so I put that on hold until I know what I'm doing.
In the near future, we're resetting up a server which will give us a new slice that will have another PFSense firewall for the second WAN (which currently is connected from the modem to a router to the WAN2) so that we can have a second gateway, purely for some LAN users.
Ideas on how I can fix this?
TIA
-
bump.