Simple DMZ setup with webserver
-
Hi,
I just recently installed pfSense 2.0RC1 after having used ipCop for several years. I got everything working excepted the access to my web server in the DMZ (from internet).
WAN: dhcp
LAN: 192.1.1.0/24
DMZ: 192.1.2.0/24Rules for DMZ:
Proto Source Port Destination Port Gateway Description
TCP DMZ net * 192.1.1.2 1433 * MS SQL
TCP * * LAN net * * Restrict to LAN- DMZ net * ! LAN net * * All but LAN
Rules for LAN:
Proto Source Port Destination Port Gateway Queue Schedule Description- RFC 1918 networks * * * * * Block private networks
- Reserved/not assigned by IANA * * * * * * Block bogon networks
TCP * * 192.1.2.1 12500 * none NAT Web Server
Port forward:
If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
WAN TCP * * DMZ net 12500 192.1.2.1 12500 Web ServerIs the configuration of the DMZ right? (can access internet, not LAN)
Why does the port forward generate a rule in the LAN?Can some one have look an tell me what is wrong? I see the requests in the firewall log at port 12500, so they are not routed to 192.1.2.1:12500…
Thanks,
Daniel -
Hello Daniel!
This is how I should have done this setup.
First of all you should not use .0 in a computers IP adress.
Add 1 to all addresses so that the LAN and DMZ interfaces start with .1I have done the rules below with your IP numbering from the previous post.
As I understand you have a MS SQL server on the LAN net that you want your Web server on the DMZ net to access.
Also you want to have full access to internet from DMZ net.
The DMZ net should not have access to LAN net.
LAN net have full access to DMZ and WAN net
And finally WAN net to DMZ net on tcp port 12500
This is at least how the setup below is supposed to work.DMZ rules:
Type ID Proto Source Port Destination Port Gateway Queue Schedule Description
Allow TCP DMZ net * 192.1.1.2 1433 * none DMZ to LAN MS SQL
Allow * DMZ net * ! LAN net * * none DMZ to internet and block to LAN
Block * * * * * * none Block allLAN rules
Type ID Proto Source Port Destination Port Gateway Queue Schedule Description
Allow * LAN Net * * * * none Default allow LAN to any ruleWAN rules
Type ID Proto Source Port Destination Port Gateway Queue Schedule Description
Allow TCP * * 192.1.2.1 12500 * none NAT WAN to DMZ webserverNAT Port forward
If Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP NAT Ports Description
WAN TCP * * WAN address 12500 192.1.2.1 12500 WAN to DMZ webserverAlso if you have Manual Outbound NAT rule generation you need to create a outbound nat rule for DMZ net like you have with LAN.
Hope this helps you on the way.
/illern.
-
Thank you very much!
I see now better my error…