Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DMZ default blocked problem

    Firewalling
    3
    7
    2684
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Klexx last edited by

      I have a Pfsense 1.0.1 with 4 nics
      LAN*                    ->  xl0    ->      10.0.0.1
      WAN*                    ->  xl1    ->      2xx.xx.x.x(DHCP) ( not a private ip)
      OPT1(DMZ)*              ->  xl2    ->      10.1.0.1
      OPT2(DMZ2)              ->  xl3    ->      10.2.0.1

      I can ping the DMZ form the LAN, but not from the DMZ to the LAN ( or anywhere else)
      I tried to ad a rule that alows "all trafic" in the DMZ  ( same as default rule in LAN )
      "tcp DMZ net * * * * " and
      "icmp * * 10.1.0.1* * "

      I tried also to "unblock " private networks in "interfaces/wan" but it didn't help 
      any pointers ?

      1 Reply Last reply Reply Quote 0
      • Y
        yoda715 last edited by

        There is no reason why this should not work. I have a similar setup and I am experiencing no problems. Try updating to the latest snapshot at http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/

        The unblock private networks only applies to the WAN interface, and would not affect you being able to ping from your DMZ to LAN segment.

        1 Reply Last reply Reply Quote 0
        • H
          hoba last edited by

          @Klexx:

          "tcp DMZ net * * * * " and
          "icmp * * 10.1.0.1* * "

          If you only use protocol TCP pings won't work as they are icmp ;)
          Default LAN rule uses any as protocol.

          1 Reply Last reply Reply Quote 0
          • K
            Klexx last edited by

            Hi, TNX I changed the default rule to " *  DMZ net * * * * " witch by my understading should alow annything  in the DMZ net ( not what i wanted, but a start ;- ) ) so i can now ping the fw ( 10.1.0.1 ) but it now seems like its ( the ping ) is picked up by the ICMP  ( ICMP * * 10.1.0.1 **  ) rule even if the ICMP rule is located after the "alowe all ( *  DMZ net * * * *  )  "rule ?   
            But  the dns request is still blocked in the fw  ( ping google.com ….. can not resolve : host name lookup failure ) and it's showing up in the log as blocked by @373 bloc drop in log quick all label " Default block all just to bee shure. "

            1 Reply Last reply Reply Quote 0
            • H
              hoba last edited by

              Do you use the DNS-Forwarder or an external DNS-Server? It now really should work. Maybe try upgrading to a recent snapshot though I don't think that there is a problem with this config and 1.0.1 release.

              1 Reply Last reply Reply Quote 0
              • K
                Klexx last edited by

                I use DNS forward, I also tried to oppgrade to pfSense-Full-Update-1.0.1-SNAPSHOT-02-18-2007.tgz with resulted in total lockdown had to reinnstall the old 1.0.1 ;-)

                1 Reply Last reply Reply Quote 0
                • H
                  hoba last edited by

                  You must have some invalid configuration. Never seen something like this before. Try restarting from scratch and recreate your config step by step and test in between the steps.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post