OPT1 as a DMZ and possible routing issues?



  • okay here's my setup roughly:

    WAN -> DHCP
    LAN (10.0.0.1/30) -> NIDS (10.0.0.2/30) -> Switch -> Hub(s) -> Clients
    OPT1 (10.0.1.1/24) -> DMZ Server (10.0.1.10/24)

    i cannot connect or ping anything on the LAN or WAN links from the DMZ Server, but they can connect and ping OPT1 and the DMZ Server. also, i can connect to the webgui using http://10.0.1.1 from the DMZ Server even though i cannot ping that ip address.  ???

    my rules on the OPT1 interface are as follows:  TCP * * * * *

    any help would be greatly appreciated, because i would like to keep this box updated due to security concerns and i cannot update it if i cannot get to the WAN interface.  :-\

    ez,
    play0r



  • @play0r:

    my rules on the OPT1 interface are as follows:  TCP * * * * *

    Change protocol to "any" instead of "tcp". Ping for example uses ICMP which you don't allow.



  • right. i did that, now i can ping OPT1. i still cannot make it to the WAN link though, which is the main issue concerning me.

    ez,
    play0r



  • Your OPT1 clients have a wrong gateway then probably if they only can reach IPs of their local subnet. Or maybe it's a DNS issue. Check both settings at your OPT1 clients.



  • the gateway is the OPT1 interface, so that should be okay?



  • Yes. so does your name resolution work? Can you ping IPs at WAN? Try pinging the WAN IP of the pfSense. if that works it's not a firewallrule issue.



  • i cannot ping the WAN ip of pfsense. i'm pretty sure the dns is fine now that i check it again. i pinged the wrong ip orginally.  :-X

    ez,
    play0r



  • optimally what would be a good firewall ruleset for OPT1 considering it's going to be a DMZ?
    also, would it be wiser to put it on the NIDS, so i can view the traffic via snort-mysql+base?

    ez,
    play0r


Log in to reply