Can't reach dmz/opt from lan

  • Hi,

    I recently set up pfsense on an alix box as a second firewall behind my dsl router in order to
    put my potentially insecure test pc into it's own network. Eventually I want to set port forwarding,
    so I can access some shares/services on that test pc, but right now I'm stuck, being unable
    to even ping that pc from any machine behind the lan interface.

    interfaces: wan static ( -> gw (the dsl router)
    lan static (, no gw
    dmz static (, no gw

    Automatic NAT outbound.

    For testing purposes I set the firewall rules wide open, using a lan-to-any rules both for the
    lan and dmz/opt interface:
    action: pass, interface: lan, source: any, destination: any (for lan)
    action: pass, interface: dmz, source any, destination: any (for dmz)

    Now with that setting, I CAN ping from a machine on the dmz interface (e.g. to
    any on the lan, but not the other way round for some reason I don't understand.

    Any hints would be apprecited. Thanks a lot in advance.


  • What do the firewall logs show?  Did you turn on logging for both rules to generate additional logs?

    Your settings seem to be okay.  Are all three of these interfaces physical interfaces (WAN, LAN, DMZ) or are you using a vLAN to share one port?

  • Yes,it's 3 physical interfaces. As for the logs, I'm afraid they got lost when I misconfigured the whole thing when
    trying a different approach in bridging together LAN and DMZ to have a more transparent firewall setting between the two.
    At some point I managed to completely lock myself out in doing so. Going back to defaults via serial console dind't
    help either, so I guess I'll flash that CF card again, and try once more, adding extra logging as you suggested.

