DMZ default blocked problem



  • I have a Pfsense 1.0.1 with 4 nics
    LAN*                    ->  xl0    ->      10.0.0.1
    WAN*                    ->  xl1    ->      2xx.xx.x.x(DHCP) ( not a private ip)
    OPT1(DMZ)*              ->  xl2    ->      10.1.0.1
    OPT2(DMZ2)              ->  xl3    ->      10.2.0.1

    I can ping the DMZ form the LAN, but not from the DMZ to the LAN ( or anywhere else)
    I tried to ad a rule that alows "all trafic" in the DMZ  ( same as default rule in LAN )
    "tcp DMZ net * * * * " and
    "icmp * * 10.1.0.1* * "

    I tried also to "unblock " private networks in "interfaces/wan" but it didn't help 
    any pointers ?



  • There is no reason why this should not work. I have a similar setup and I am experiencing no problems. Try updating to the latest snapshot at http://snapshots.pfsense.com/FreeBSD6/RELENG_1/updates/

    The unblock private networks only applies to the WAN interface, and would not affect you being able to ping from your DMZ to LAN segment.



  • @Klexx:

    "tcp DMZ net * * * * " and
    "icmp * * 10.1.0.1* * "

    If you only use protocol TCP pings won't work as they are icmp ;)
    Default LAN rule uses any as protocol.



  • Hi, TNX I changed the default rule to " *  DMZ net * * * * " witch by my understading should alow annything  in the DMZ net ( not what i wanted, but a start ;- ) ) so i can now ping the fw ( 10.1.0.1 ) but it now seems like its ( the ping ) is picked up by the ICMP  ( ICMP * * 10.1.0.1 **  ) rule even if the ICMP rule is located after the "alowe all ( *  DMZ net * * * *  )  "rule ?   
    But  the dns request is still blocked in the fw  ( ping google.com ….. can not resolve : host name lookup failure ) and it's showing up in the log as blocked by @373 bloc drop in log quick all label " Default block all just to bee shure. "



  • Do you use the DNS-Forwarder or an external DNS-Server? It now really should work. Maybe try upgrading to a recent snapshot though I don't think that there is a problem with this config and 1.0.1 release.



  • I use DNS forward, I also tried to oppgrade to pfSense-Full-Update-1.0.1-SNAPSHOT-02-18-2007.tgz with resulted in total lockdown had to reinnstall the old 1.0.1 ;-)



  • You must have some invalid configuration. Never seen something like this before. Try restarting from scratch and recreate your config step by step and test in between the steps.


Log in to reply