Simple DMZ setup with webserver



  • Hi,

    I just recently installed pfSense 2.0RC1 after having used ipCop for several years. I got everything working excepted the access to my web server in the DMZ (from internet).

    WAN: dhcp
    LAN: 192.1.1.0/24
    DMZ: 192.1.2.0/24

    Rules for DMZ:
    Proto Source Port Destination  Port Gateway Description
    TCP DMZ net * 192.1.1.2  1433 *      MS SQL
    TCP *              * LAN net    * *         Restrict to LAN

    • DMZ net * ! LAN net  * *         All but LAN

    Rules for LAN:
    Proto Source Port Destination Port Gateway Queue Schedule Description

    • RFC 1918 networks * * * * * Block private networks
    • Reserved/not assigned by IANA * * * * * * Block bogon networks
      TCP * * 192.1.2.1 12500 * none   NAT Web Server

    Port forward:
    If Proto Src. addr Src.          ports Dest. addr Dest. ports NAT IP NAT Ports Description
    WAN TCP * * DMZ net 12500 192.1.2.1 12500                                 Web Server

    Is the configuration of the DMZ right? (can access internet, not LAN)
    Why does the port forward generate a rule in the LAN?

    Can some one have look an tell me what is wrong? I see the requests in the firewall log at port 12500, so they are not routed to 192.1.2.1:12500…

    Thanks,
    Daniel



  • Hello Daniel!

    This is how I should have done this setup.
    First of all you should not use .0 in a computers IP adress.
    Add 1 to all addresses so that the LAN and DMZ interfaces start with .1

    I have done the rules below with your IP numbering from the previous post.

    As I understand you have a MS SQL server on the LAN net that you want your Web server on the DMZ net to access.
    Also you want to have full access to internet from DMZ net.
    The DMZ net should not have access to LAN net.
    LAN net have full access to DMZ and WAN net
    And finally WAN net to DMZ net on tcp port 12500
    This is at least how the setup below is supposed to work.

    DMZ rules:
    Type  ID    Proto      Source    Port      Destination              Port        Gateway  Queue    Schedule  Description
    Allow        TCP        DMZ net  *          192.1.1.2                1433        *              none                        DMZ to LAN MS SQL
    Allow        *            DMZ net  *          ! LAN net                  *            *              none                        DMZ to internet and block to LAN
    Block        *            *              *          *                              *            *              none                        Block all

    LAN rules
    Type  ID    Proto      Source    Port      Destination              Port        Gateway  Queue    Schedule  Description
    Allow        *              LAN Net  *          *                              *              *              none                      Default allow LAN to any rule

    WAN rules
    Type  ID    Proto      Source    Port      Destination              Port        Gateway  Queue    Schedule  Description
    Allow        TCP          *              *          192.1.2.1                12500      *              none                      NAT WAN to DMZ webserver

    NAT Port forward
    If        Proto      Src. addr        Src. ports      Dest. addr      Dest. ports      NAT IP              NAT Ports      Description
    WAN    TCP        *                  *                    WAN address  12500             192.1.2.1          12500            WAN to DMZ webserver

    Also if you have Manual Outbound NAT rule generation you need to create a outbound nat rule for DMZ net like you have with LAN.

    Hope this helps you on the way.

    /illern.



  • Thank you very much!

    I see now better my error…


Locked