DMZ setup not working as anticipated.



  • Hi,

    I'm trying to locate a server in a DMZ so we can open up public access to it. I'm having a number of problems so I was wondering if someone could do a sanity check on this and let me know where I'm going wrong.

    External WAN IP: 12.23.34.45
    IP Alias on WAN:  12.23.34.44
    LAN: 192.168.1.0/24
    DMZ: 10.10.10.0/24

    OK so the LAN is all set up and working fine. I put a server in the DMZ with IP address 10.10.10.10. I can't ping ANYTHING at this point. Not even the DMZ interface on 10.10.10.1. Is this normal? I've checked cables and hubs many times.

    I need to access the server by web from the Internet, and by SSH from the LAN.
    I create a NAT mapping from 12.23.34.44 to 10.10.10.10

    I put rules in as follows.
    source: LAN (any IP, any port)
    dest: 10.10.10.10 port 22 tcp/udp

    source: WAN (any IP, any port).
    dest: 10.10.10.10 port 80, tcp.

    So as far as I gather, that should work. But no … can't connect from anywhere to the machine, and can't ping anything at all from the machine.

    What am I missing?



  • You need rules on dmz interface, only lan has default allow any rule.



  • @Metu69salemi:

    You need rules on dmz interface, only lan has default allow any rule.

    It is not necessary to have a firewall rule on LAN (assuming the default allow any rule hasn't been disabled) to allow access from LAN to a host on DMZ.

    @plutocrat:

    I can't ping ANYTHING at this point. Not even the DMZ interface on 10.10.10.1. Is this normal? I've checked cables and hubs many times.

    Can you ping the pfSense LAN IP address from a system on your LAN? If not, what is reported?

    @plutocrat:

    I create a NAT mapping from 12.23.34.44 to 10.10.10.10

    I put rules in as follows.
    source: LAN (any IP, any port)
    dest: 10.10.10.10 port 22 tcp/udp

    source: WAN (any IP, any port).
    dest: 10.10.10.10 port 80, tcp.

    So as far as I gather, that should work. But no … can't connect from anywhere to the machine, and can't ping anything at all from the machine.

    Did you mean Port Forward mapping from 12.23.34.44 to 10.10.10.10?

    You shouldn't need a NAT mapping to access your system on the DMZ from the LAN. (I don't on a similar setup I have at home.)

    Please give more details than "can't connect". How are you attempting to connect? What does it report?  If you are using ssh do you have sshd running on the DMZ server and is it configured to allow access from LAN?



  • If you only have one public IP address & your DMZ & LAN are on separate NICs & separate physical interfaces, you may have to enable bridging to make anything in your DMZ subnet accessible from the public internet.

    Try going to (in PFsense WebGUI) interfaces>assign>bridging. Then select both your DMZ & LAN & click accept or apply. You shouldn't need to configure anything advanced under bridging. See if that works to give access to that network.

    Like Metu69salemi said, you will need to create a firewall rule for the DMZ interface allowing traffic IN from the internet TO the DMZ server, also possibly allowing traffic IN from the LAN as well. After created you will need to goto reload filter option in pfsense to make sure the rule is actually applied once it's created.

    The easiest thing to do to start with the firewall rule is to just apply a "Allow All" rule, until you can verify everything that needs access to the machine can get it. Then once you can verify that, you can go back & configure specific routing rules to allow only the certain PCs access you want.

    It should state under firewall rule creation what interface do you want to allow connection from & connection to. Leave both set to any.

    See if this helps the situation any.



  • Thanks to all who replied. I haven't been with the client since posting, so excuse me for not answering your questions. However let me clarify a few things.

    @Metu69salemi:

    You need rules on dmz interface, only lan has default allow any rule.

    Yes, the rules I mention are set up on the DMZ interface.

    @wallabybob:

    Can you ping the pfSense LAN IP address from a system on your LAN? If not, what is reported?

    Yes. Everything on the LAN segment can ping each other.

    @wallabybob:

    Did you mean Port Forward mapping from 12.23.34.44 to 10.10.10.10?

    Its a 1 to 1 NAT I believe. The external IP is an Alias for the WAN interface. What I was trying to acheive was that all traffic to .45 goes to the firewall and all traffic to .44 goes to the DMZ server.

    @wallabybob:

    Please give more details than "can't connect". How are you attempting to connect? What does it report?  If you are using ssh do you have sshd running on the DMZ server and is it configured to allow access from LAN?

    Yes, of course I have sshd running on the DMZ server. I sit in the LAN, try to connect to the DMZ server on its DMZ IP 10.10.10.10 and the connection times out. There is no communication from the LAN to the DMZ. Aha … maybe I should turn on logging for the DMZ rules. I'm assuming this is possible. I'll try to figure that out to see if it gives me any clues.

    @lonevipr:

    If you only have one public IP address & your DMZ & LAN are on separate NICs & separate physical interfaces, you may have to enable bridging to make anything in your DMZ subnet accessible from the public internet.

    We have two public IP addresses. As I explained above one is meant to direct to the firewall (and LAN) and the other is meant to map to the server in the DMZ. I'll look into bridging.
    @lonevipr:

    Like Metu69salemi said, you will need to create a firewall rule for the DMZ interface allowing traffic IN from the internet TO the DMZ server, also possibly allowing traffic IN from the LAN as well. After created you will need to goto reload filter option in pfsense to make sure the rule is actually applied once it's created.

    … which I thought I'd done. OK well I'll tear it down and start again. It does work with an Allow All rule between LAN and DMZ server, but if I'm doing that, then pretty much no need for a DMZ then! :-)

    Thanks for the encouragement. I've been setting up firewalls of different brands for 10 years or so (Netscreens, PIXes, Fortigates etc), which is why I'm a bit confused that this isn't working. Sounds like I'm doing everything right, so I'll keep plugging away.


Log in to reply