Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Please check my setup plus couple questions

    General pfSense Questions
    4
    15
    4.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tedced
      last edited by

      I'd restrict traffic from DMZ >> LAN

      create any allow rules you want for DMZ >> LAN
      then create a reject rule that catches everything else DMZ >> LAN

      place them before your DMZ >> ANY rule

      1 Reply Last reply Reply Quote 0
      • T
        tedced
        last edited by

        Because I have my web server on the DMZ do I need an allow rule on the WAN as well as the DMZ as I have done?
        No, you do not need the rule on the DMZ for outsiders to use your site
        What is the best way to setup access to the server on the DMZ from the LAN interface?
        it depends on how you want to access it; setup rules for HTTP, SMTP, RDP, POP etc…
        How I can I access my website from my LAN via its domain name like www.domain.com when it is hosted on the dmz?
        Do you have an internal DNS server? The easiest way would be to have an internal DNS server point to the 192.168.1.10 address of your server
        I would like my server on the DMZ to be able to access the internet for updates etc, is the rule correct? Works but is it to open?
        "Works but is it to open" Thats bang on. Just allow through what you need too.

        1 Reply Last reply Reply Quote 0
        • jahonixJ
          jahonix
          last edited by

          You have to NAT port 465 and not 25 if that's what you're using for SMTP.

          Similar for your RDP. If you want it externally on 1609 you have to NAT it to 5900 internally.
          But then you have to allow traffic on the WAN interface at 1609 since that is what the interface 'sees'.

          Chris

          1 Reply Last reply Reply Quote 0
          • F
            far_ken_beauty
            last edited by

            @jahonix:

            You have to NAT port 465 and not 25 if that's what you're using for SMTP.

            Similar for your RDP. If you want it externally on 1609 you have to NAT it to 5900 internally.
            But then you have to allow traffic on the WAN interface at 1609 since that is what the interface 'sees'.

            Chris

            Well spotted I have change port 465 to 25  ;)

            I have VNC running on custom port 1609 ;) I have chnaged WAN rule accordingly.
            Well spotted

            1 Reply Last reply Reply Quote 0
            • F
              far_ken_beauty
              last edited by

              @tedced:

              Because I have my web server on the DMZ do I need an allow rule on the WAN as well as the DMZ as I have done?
              No, you do not need the rule on the DMZ for outsiders to use your site
              What is the best way to setup access to the server on the DMZ from the LAN interface?
              it depends on how you want to access it; setup rules for HTTP, SMTP, RDP, POP etc…
              How I can I access my website from my LAN via its domain name like www.domain.com when it is hosted on the dmz?
              Do you have an internal DNS server? The easiest way would be to have an internal DNS server point to the 192.168.1.10 address of your server
              I would like my server on the DMZ to be able to access the internet for updates etc, is the rule correct? Works but is it to open?
              "Works but is it to open" Thats bang on. Just allow through what you need too.

              Thankyou I have removed the extra rule on the DMZ.

              I will try a few rules for access to the server. I need to access a share as well as vnc.

              I don't have an internal DNS but could set one up on the server.

              As for having access for the server on the DMZ i will try a few rules. Any suggestions. Source ip of machine on port 80 to port 80 for web access?

              Many thanks.

              1 Reply Last reply Reply Quote 0
              • F
                far_ken_beauty
                last edited by

                @tedced:

                I'd restrict traffic from DMZ >> LAN

                create any allow rules you want for DMZ >> LAN
                then create a reject rule that catches everything else DMZ >> LAN

                place them before your DMZ >> ANY rule

                Will try thanks.

                1 Reply Last reply Reply Quote 0
                • F
                  far_ken_beauty
                  last edited by

                  @tedced:

                  I'd restrict traffic from DMZ >> LAN

                  create any allow rules you want for DMZ >> LAN
                  then create a reject rule that catches everything else DMZ >> LAN

                  place them before your DMZ >> ANY rule

                  I am having a few issues sorting out rules so that DMZ can only access internet and not LAN.
                  I want the LAN to access the DMZ although.
                  Any pointers?

                  1 Reply Last reply Reply Quote 0
                  • P
                    Perry
                    last edited by

                    might help you out http://doc.m0n0.ch/handbook/examples.html

                    /Perry
                    doc.pfsense.org

                    1 Reply Last reply Reply Quote 0
                    • jahonixJ
                      jahonix
                      last edited by

                      @far_ken_beauty:

                      I am having a few issues sorting out rules so that DMZ can only access internet and not LAN.

                      This is rather easy: on the DMZ create a rule that drops (or rejects) all packets with destination LAN.

                      @far_ken_beauty:

                      I want the LAN to access the DMZ although.

                      ;-)
                      So you don't want to disable DMZ -> LAN completely as stated above!
                      Usually we have a two way communication. LAN sends a request to DMZ and DMZ answers to LAN. The latter conflicts with  'DMZ can only access the internet' …

                      Create dedicated rules for the services you want to have access to.
                      Following Perry's link is a good start.

                      Chris

                      1 Reply Last reply Reply Quote 0
                      • F
                        far_ken_beauty
                        last edited by

                        Thanks guys I will check out Perrys link. Thanks Perry.
                        Yeah I just want to secure the DMZ from the LAN, but still need some access. I will investigate opening up certain services that I need.
                        Cheers.

                        1 Reply Last reply Reply Quote 0
                        • F
                          far_ken_beauty
                          last edited by

                          @Perry:

                          might help you out http://doc.m0n0.ch/handbook/examples.html

                          Helped a treat!

                          1 Reply Last reply Reply Quote 0
                          • F
                            far_ken_beauty
                            last edited by

                            Ok getting there…....
                            I can access this from the LAN but not DMZ even when I give DMZ access to all.
                            ftp://ftp.bom.gov.au/anon/gen/fwo/IDV17101.txt a port issue? Works on LAN though. :-\

                            1 Reply Last reply Reply Quote 0
                            • jahonixJ
                              jahonix
                              last edited by

                              search the forum for 'FTP-Helper'

                              Chris

                              1 Reply Last reply Reply Quote 0
                              • F
                                far_ken_beauty
                                last edited by

                                @jahonix:

                                search the forum for 'FTP-Helper'

                                Chris

                                You my friend are a champ! Disable the ftp helper and away it goes ;D
                                Thanks mate. ;)

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.