Simple DMZ setup with webserver

bluebird

Hi,

I just recently installed pfSense 2.0RC1 after having used ipCop for several years. I got everything working excepted the access to my web server in the DMZ (from internet).

WAN: dhcp
LAN: 192.1.1.0/24
DMZ: 192.1.2.0/24

Rules for DMZ:
Proto Source Port Destination  Port Gateway Description
TCP DMZ net * 192.1.1.2  1433 *      MS SQL
TCP *              * LAN net    * *         Restrict to LAN

• DMZ net * ! LAN net  * *         All but LAN

Rules for LAN:
Proto Source Port Destination Port Gateway Queue Schedule Description

• RFC 1918 networks * * * * * Block private networks
• Reserved/not assigned by IANA * * * * * * Block bogon networks
  TCP * * 192.1.2.1 12500 * none   NAT Web Server

Port forward:
If Proto Src. addr Src.          ports Dest. addr Dest. ports NAT IP NAT Ports Description
WAN TCP * * DMZ net 12500 192.1.2.1 12500                                 Web Server

Is the configuration of the DMZ right? (can access internet, not LAN)
Why does the port forward generate a rule in the LAN?

Can some one have look an tell me what is wrong? I see the requests in the firewall log at port 12500, so they are not routed to 192.1.2.1:12500…

Thanks,
Daniel

illern

Hello Daniel!

This is how I should have done this setup.
First of all you should not use .0 in a computers IP adress.
Add 1 to all addresses so that the LAN and DMZ interfaces start with .1

I have done the rules below with your IP numbering from the previous post.

As I understand you have a MS SQL server on the LAN net that you want your Web server on the DMZ net to access.
Also you want to have full access to internet from DMZ net.
The DMZ net should not have access to LAN net.
LAN net have full access to DMZ and WAN net
And finally WAN net to DMZ net on tcp port 12500
This is at least how the setup below is supposed to work.

DMZ rules:
Type  ID    Proto      Source    Port      Destination              Port        Gateway  Queue    Schedule  Description
Allow        TCP        DMZ net  *          192.1.1.2                1433        *              none                        DMZ to LAN MS SQL
Allow        *            DMZ net  *          ! LAN net                  *            *              none                        DMZ to internet and block to LAN
Block        *            *              *          *                              *            *              none                        Block all

LAN rules
Type  ID    Proto      Source    Port      Destination              Port        Gateway  Queue    Schedule  Description
Allow        *              LAN Net  *          *                              *              *              none                      Default allow LAN to any rule

WAN rules
Type  ID    Proto      Source    Port      Destination              Port        Gateway  Queue    Schedule  Description
Allow        TCP          *              *          192.1.2.1                12500      *              none                      NAT WAN to DMZ webserver

NAT Port forward
If        Proto      Src. addr        Src. ports      Dest. addr      Dest. ports      NAT IP              NAT Ports      Description
WAN    TCP        *                  *                    WAN address  12500             192.1.2.1          12500            WAN to DMZ webserver

Also if you have Manual Outbound NAT rule generation you need to create a outbound nat rule for DMZ net like you have with LAN.

Hope this helps you on the way.

/illern.

bluebird

Thank you very much!

I see now better my error…