Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Simple DMZ setup with webserver

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 15.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bluebird
      last edited by

      Hi,

      I just recently installed pfSense 2.0RC1 after having used ipCop for several years. I got everything working excepted the access to my web server in the DMZ (from internet).

      WAN: dhcp
      LAN: 192.1.1.0/24
      DMZ: 192.1.2.0/24

      Rules for DMZ:
      Proto Source Port Destination  Port Gateway Description
      TCP DMZ net * 192.1.1.2  1433 *      MS SQL
      TCP *              * LAN net    * *         Restrict to LAN

      • DMZ net * ! LAN net  * *         All but LAN

      Rules for LAN:
      Proto Source Port Destination Port Gateway Queue Schedule Description

      • RFC 1918 networks * * * * * Block private networks
      • Reserved/not assigned by IANA * * * * * * Block bogon networks
        TCP * * 192.1.2.1 12500 * none   NAT Web Server

      Port forward:
      If Proto Src. addr Src.          ports Dest. addr Dest. ports NAT IP NAT Ports Description
      WAN TCP * * DMZ net 12500 192.1.2.1 12500                                 Web Server

      Is the configuration of the DMZ right? (can access internet, not LAN)
      Why does the port forward generate a rule in the LAN?

      Can some one have look an tell me what is wrong? I see the requests in the firewall log at port 12500, so they are not routed to 192.1.2.1:12500…

      Thanks,
      Daniel

      1 Reply Last reply Reply Quote 0
      • I
        illern
        last edited by

        Hello Daniel!

        This is how I should have done this setup.
        First of all you should not use .0 in a computers IP adress.
        Add 1 to all addresses so that the LAN and DMZ interfaces start with .1

        I have done the rules below with your IP numbering from the previous post.

        As I understand you have a MS SQL server on the LAN net that you want your Web server on the DMZ net to access.
        Also you want to have full access to internet from DMZ net.
        The DMZ net should not have access to LAN net.
        LAN net have full access to DMZ and WAN net
        And finally WAN net to DMZ net on tcp port 12500
        This is at least how the setup below is supposed to work.

        DMZ rules:
        Type  ID    Proto      Source    Port      Destination              Port        Gateway  Queue    Schedule  Description
        Allow        TCP        DMZ net  *          192.1.1.2                1433        *              none                        DMZ to LAN MS SQL
        Allow        *            DMZ net  *          ! LAN net                  *            *              none                        DMZ to internet and block to LAN
        Block        *            *              *          *                              *            *              none                        Block all

        LAN rules
        Type  ID    Proto      Source    Port      Destination              Port        Gateway  Queue    Schedule  Description
        Allow        *              LAN Net  *          *                              *              *              none                      Default allow LAN to any rule

        WAN rules
        Type  ID    Proto      Source    Port      Destination              Port        Gateway  Queue    Schedule  Description
        Allow        TCP          *              *          192.1.2.1                12500      *              none                      NAT WAN to DMZ webserver

        NAT Port forward
        If        Proto      Src. addr        Src. ports      Dest. addr      Dest. ports      NAT IP              NAT Ports      Description
        WAN    TCP        *                  *                    WAN address  12500             192.1.2.1          12500            WAN to DMZ webserver

        Also if you have Manual Outbound NAT rule generation you need to create a outbound nat rule for DMZ net like you have with LAN.

        Hope this helps you on the way.

        /illern.

        1 Reply Last reply Reply Quote 0
        • B
          bluebird
          last edited by

          Thank you very much!

          I see now better my error…

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.