Cannot connect from LAN to OPT1
-
I have a typical configuration with:
WAN - 10.0.0.0/24
LAN - 192.168.0.0/24
OPT1 - 192.168.1.0/24 acting as DMZWhen I try to ping any host on LAN from the OPT1 interface it just works fine but if I try to ping any host on the OPT1 from the LAN interface I get no answer. Shouldn't by default all traffic from LAN be allowed to everywhere including to OPT1? I have already created several rules without any success, including one on the OPT1 interface allowing all traffic from LAN subnet.
I have a webserver running on OPT1 and cannot connect from LAN to that webserver.
-
Yes, the default LAN rule that comes in by default on new installations should allow traffic from the LAN to anywhere, including any OPT networks.
start with a traceroute from LAN to OPT and see how far it gets. Then run a tcpdump on LAN to watch for the traffic to OPT net. Then watch tcpdump on the OPT interface to see if the traffic made it through routing and FW. Are you doing any manual outbound NAT? -
I made a packet capture on OPT and receive the following result:
14:58:23.887247 IP 192.168.0.36.52189 > 192.168.1.7.80: tcp 0
14:58:26.887301 IP 192.168.0.36.52189 > 192.168.1.7.80: tcp 0
14:58:32.888715 IP 192.168.0.36.52189 > 192.168.1.7.80: tcp 0This test was made trying to access the webserver that is available on 192.168.1.7 and the browser fails to open that page.
One more stranger thing is that I re-installed pfSense on the server and I got immediate access from OPT to the internet, which the first time I installed was not possible without making a specific rule.
I am not using any manual outbound NAT.
-
I have 6 available NICs on the server and have tried to switch each of them to another to check if it could solve the situation but had no success.
-
Don't know how you got it to pass traffic on OPT1 without a rule. I just tried with a VM and didn't happen.
So it is getting to the web server, perhaps the default gateway on the web server is not correct as there is no traffic back from the web server.
Can you do a tcpdump on the web server? Also, can you execute and paste "netstat -nr" from the web server?
What are the static IPs of LAN and OPT1 on the pfSense box? -
I had a problem with the webserver gateway, which I could solve but now I am having another issue.
My webserver on the DMZ connects to a server on the LAN through one specific port only. I have already tried creating a rule to allow this traffic but had no success. Can you give me some hints on how to create it?
-
screen shot the rule. my guess is that you formatted the rule incorrectly or the rule is below a block rule.
-
I manged to solve this too.
One last question: I configured successfully an OpenVPN server and I can access remotely to the LAN but I would like also to access the DMZ. Is there any configuration I shall change or rule to add so that I can access the DMZ from the OpenVPN connection?
-
If you didn't create an allow all in the OpenVPN tab, then you need to add a rule in there to allow the traffic to the DMZ. Your VPN software has to be setup to push the DMZ subnet through the opened tunnel.
-
I have attached a print screen of the rule that is created automatically that allows every traffic. How do I configure the VPN software? And I can ping any host on the LAN but not on the DMZ.
-
I have solved this adding a push route to the DMZ subnet on the OpenVPN advanced configuration.