OPT1 as a DMZ and possible routing issues?
-
okay here's my setup roughly:
WAN -> DHCP
LAN (10.0.0.1/30) -> NIDS (10.0.0.2/30) -> Switch -> Hub(s) -> Clients
OPT1 (10.0.1.1/24) -> DMZ Server (10.0.1.10/24)i cannot connect or ping anything on the LAN or WAN links from the DMZ Server, but they can connect and ping OPT1 and the DMZ Server. also, i can connect to the webgui using http://10.0.1.1 from the DMZ Server even though i cannot ping that ip address. ???
my rules on the OPT1 interface are as follows: TCP * * * * *
any help would be greatly appreciated, because i would like to keep this box updated due to security concerns and i cannot update it if i cannot get to the WAN interface. :-\
ez,
play0r -
my rules on the OPT1 interface are as follows: TCP * * * * *
Change protocol to "any" instead of "tcp". Ping for example uses ICMP which you don't allow.
-
right. i did that, now i can ping OPT1. i still cannot make it to the WAN link though, which is the main issue concerning me.
ez,
play0r -
Your OPT1 clients have a wrong gateway then probably if they only can reach IPs of their local subnet. Or maybe it's a DNS issue. Check both settings at your OPT1 clients.
-
the gateway is the OPT1 interface, so that should be okay?
-
Yes. so does your name resolution work? Can you ping IPs at WAN? Try pinging the WAN IP of the pfSense. if that works it's not a firewallrule issue.
-
i cannot ping the WAN ip of pfsense. i'm pretty sure the dns is fine now that i check it again. i pinged the wrong ip orginally. :-X
ez,
play0r -
optimally what would be a good firewall ruleset for OPT1 considering it's going to be a DMZ?
also, would it be wiser to put it on the NIDS, so i can view the traffic via snort-mysql+base?ez,
play0r