Pfsense 2.1 - basic DMZ setup - any/all ports to single DMZ host?



  • Hi - was hoping someone could assist me with setting up a basic DMZ.  I have 1 WAN interface and 1 LAN interface.  I've also added (on 2nd NIC card) my OPT2 as DMZ.

    LAN set to 192.168.0.1/24
    My internal DNS/DHCP server on my LAN is machine 192.168.0.5

    DMZ set to 192.168.2.1/30 (for time being I only need to expose 1 device)

    Under Firewall > NAT > 1:1 I've pointed one of my ISP static public IPs (184.185.x.100) to 192.168.2.1 which I was hoping is correct?

    Under Firewall > Rules > DMZ I have configured the following rules as shown below.

    However, I'm not sure how to:
    1.) enable the DMZ device to obtain a DHCP address from 192.168.0.5 box
    2.) allow access on any/all ports on the internet and
    3.) accept internet connections on public IP 184.185.x.100

    Any assistance would be greatly appreciated.  Thanks!


  • LAYER 8 Global Moderator

    For starters you prob going to want to change your dns rule to be both tcp/udp.  Dns can and does use tcp when query for udp is too large.

    So dhcp is broadcast, you would have to setup dhcp relay for that to happen.  Or just setup dhcp on pfsense interface in your dmz.  If your using a /30 – wtf you need dhcp for?

    Setup 1:1 nat for your dmz host to your public IP it wants to listen on.



  • @johnpoz:

    So dhcp is broadcast, you would have to setup dhcp relay for that to happen.  Or just setup dhcp on pfsense interface in your dmz.  If your using a /30 – wtf you need dhcp for?

    Setup 1:1 nat for your dmz host to your public IP it wants to listen on.

    I've gone ahead and adjusted DNS to TCP/UDP as you've instructed.

    As for DHCP, I currently have my Windows server (192.168.0.5) acting as my DNS and DHCP server.  Wasn't sure whether this also applies to the DMZ?  For example, if I set the pfsense DMZ interface to static with an address of 192.168.2.1 /30, does the single device I'm trying to put on the DMZ obtain its DHCP address from the 192.168.0.5 windows server box OR does it just assume the DMZ IP of 192.168.2.1?

    The device I'm trying to put on the DMZ is for a company to troubleshoot remotely.  They've asked for open access to it.  Unfortunately the device is set to obtain it's IP via DHCP (I have no control over this method), so I'm trying to 1.) expose it on the DMZ 100% without any specific port restrictions (in either direction), 2.) ping the device (so is there a spec rule I need on DMZ so that it responds to pings?) and, 3.) assign it a public internet IP so they can reach it on that IP.

    Here are my current DMZ rules.  Added an ICMP echo reply rule in an attempt to allow device on DMZ (192.168.2.1) to respond to pings.  Not sure whether I did this correctly.  I can ping the device from within my LAN, but not when I try to do it remotely.

    http://imgur.com/XY6Uc


  • LAYER 8 Global Moderator

    "its DHCP address from the 192.168.0.5 windows server box OR does it just assume the DMZ IP of 192.168.2.1?"

    What??

    So dhcp protocol is just black magic to you?  No a box on different network segment is not going to get dhcp from a server on a different segment, unless you have some relay on its current segment to forward that broadcasted dhcp request to that server.

    And pfsense 2.1 address has nothing to do with anything.  The dhcp clients is just going to broadcast a discover packet asking for a dhcp server to send it an offer.

    Here this might help you understand how dhcp works
    http://tools.ietf.org/html/rfc2131

    This might be easier to read
    http://support.microsoft.com/kb/169289

    If you have no control over setting up this box in your dmz being dhcp or static.  Then just run dhcp server on pfsense to hand out the .2 address you have in your /30 range ;)



  • Sorry, yes, I did have the pfsense DNS relay service enabled for the DMZ interface.  Also on my Windows DHCP server I had defined a DHCP scope/range of 192.168.2.1-192.168.2.1.

    Now that I can see that the device at 192.168.2.1 is obtaining a DHCP address, I am able to ping 192.168.2.1 from within my LAN and receive a ping receive.  But even after creating a NAT 1:1 rule of an external static IP (call it 184.185.x.100) to internal address 192.168.2.1, I do not receive a ping response over the internet when I ping 184.185.x.100.  Does this require a rule different than the one I setup earlier on my DMZ interface?

    Thanks again for your help.



  • @johnpoz:

    If you have no control over setting up this box in your dmz being dhcp or static.  Then just run dhcp server on pfsense to hand out the .2 address you have in your /30 range ;)

    How do you go about setting up a rule(s) so that someone pinging the device on the DMZ (IP 192.168.2.1) will get a ping response back?  Wasn't sure whether the screen capture I posted of my ICMP reply rule was correct or sufficient.  Thanks again.


Log in to reply