DMZ Rule - destination WAN not working



  • Hi,

    I'm not sure if I'm doing this right so I'm looking for a little insight.

    I have a 1.2.3 system with three interfaces (WAN, DMZ, LAN).

    On the DMZ, I'm setting up a new server and wanted to do a yum update.  I add a rule on the DMZ interface specifying TCP, the server's private IP on any port, destination WAN address, any dest port, default gateway, no schedule.  Save it and apply it.

    I then do a yum update (I've also tried a wget) and the firewall is blocking the server trying to get to the destination on port 80, TCP:S.

    If I change the rule to allow ANY destination and restrict it to port 80, the server can get out, but now it can get to the LAN too.

    Other than being stupid, what am I missing?

    Thanks



  • You don't want to specify a destination IP address unless you're only allowing the traffic to a specific YUM server.  You definitely don't want the WAN address to be the destination IP.



  • Sorry sub, I'm not following you.

    I don't have the yum server IP set, I only have WAN address as the destination.

    I've found a couple posts here talking about having to set the destination to ANY, then add a rule to block the server (or network) in question from being able to access the LAN.  Is that right?  Seems a bit strange when I have a destination called "WAN address."  Hey!  That's where I want to go, let's set that!  … apparently not.... ::)

    Is the any and block to LAN the way to go because I technically have that set up.  The last rule in the DMZ set is any port/proto for any source with a destination of LAN net is blocked.  But if I put in a rule saying DMZ server 1 allowed to ANY for SSH, I can hit a LAN box on SSH from the DMZ.  Seems like that doesn't work either.



  • Ok, I think I finally pulled my head out.

    The rule isn't allow DMZ server access to the WAN address, it's allow the server access to any interfaces that is NOT a LAN address.

    Right?

    WTF is "WAN address" for then?



  • WAN address is exactly that.
    The IP-address which is configured on the WAN.



  • @TomBodet:

    Ok, I think I finally pulled my head out.

    The rule isn't allow DMZ server access to the WAN address, it's allow the server access to any interfaces that is NOT a LAN address.

    Right?

    WTF is "WAN address" for then?

    It is meant to allow access to the pfsense box itself from the WAN.  Lets say you want to access the pfsense box via SSH from the internet, then you will set an allow rule for:

    • Source IP: Any

    • Source Port: Any

    • Dest. IP: WAN Address

    • Dest. Port: 22

    Without this, the firewall will drop the SSH connection inbound to the pfsense box from the WAN connection.

    Alternatively, if you need to block clients on the LAN from connecting to the pfsense box via SSH except say, a known IP (say: 192.168.1.250) for your administrative machine, then you will set a Block rule as such:

    • Source IP: NOT 192.168.1.250

    • Source Port: Any

    • Dest. IP: LAN Address

    • Dest. Port: 22


Log in to reply