No internet access from DMZ(OPT1)

patelbhavin8008

Hi,

i am not able to access internet from DMZ(OPT1) interface. I have created rule in DMZ(OPT1) which is same as default rule in LAN for accessing internet. below is the rule for DMZ from firewall.

Proto Source       Port Destination  Port     Gateway Queue

• DMZ_LOCAL net *     *           *         *         none

is there any thing more i need to do.

jimp

Check your outbound NAT (Firewall > NAT, Outbound tab)

if you're on manual outbound NAT, add rules for the DMZ subnet.

If you're on automatic outbound NAT it should already work, but make sure under Interfaces > DMZ that you do NOT have a gateway selected (only choose a gateway on WANs, not local interfaces)

atakacs

Total newbie here having the very similar issue.

I have created an outbound firewall rule for the OPT. I'm using automatic outbound NAT rule generation.

However on the "interface" page for OPT I have no gateway defined and no choice in the pop-up (although I have defined a gateway for the LAN part which works fine - I would hvw expected that geteway showing up there ?). If I try to manually add my WAN gateway I get a "please wait" message forever.

Pretty much stumped at this stage

johnpoz

"However on the "interface" page for OPT I have no gateway defined and no choice in the pop-up"

Which is how it should be - its a LAN interface, it should NOT have gateway.

atakacs

Ok - understood.

So except for creating an outbound firewall rule is there anything else I should do to get internet access on my OPT subnet ? How should we go about diagnosing this ?

kejianshi

Stab in the dark.  That rule you made.  Did you copy it from the original rule on the LAN interface or make a new rule from scratch?

johnpoz

I have multiple opt interfaces, my wlan, dmz and only thing you need to do is create a firewall rule to allow the traffic you want..  It takes 10 seconds to setup another interface in pfsense - and only thing that should be required is allow the traffic on in the the firewall.

Since opt intefaces do not default to being open like the lan interface after setup.

If your having issues I would look to make sure your clients are correctly setup and can ping your opt interface IP, and what are they using for dns?  Is dns listening on opt interface if that is what clients are using, etc.

As to troubleshooting the issue - first things is can you ping the IP address you gave the opt interface from client on that network?

kejianshi

What I was wondering about is if maybe he set up the correct firewall rule but has the wrong interface selected.  This is easy to do if you copy a rule from LAN but don't change the interface.

atakacs

Hello

hmmm can't ping my OPT interface IP - oops, I should I thought about testing this first :(

So it does have DHCP working, the machine gets the expected IP, gateway and DNS (IP in the range specified, gw and dns = pfS) but it won't ping…

Here is my firewall setup in case I missed something obvious (quite possible)

kejianshi

Two things.

First, can you go back into your opt1 rule and change protocol to "any", source to opt1 net, then save and apply.

Then go to Status > filter reload.

Then test again.

Second, can you post a pic of your firewall > NAT > Outbound rules

atakacs

Thanks for your suggestions.

1. Tried to change the FW rule per your instructions - doesn't help.

2. Here is outbound rule (using automatic outbound NAT rule generation).

Guess it's time to delve in the logs…

kejianshi

I also noticed that no one so far has asked about your IP assignments for LAN, which must be correct or you wouldn't be able to see the internet, and OPT1 which obviously has some issue.

Under Interfaces:
What is the LAN IP, subnet and range?  Like 192.168.1.1 and 192.168.1.0/24 for subnet?

Should have a similar setting for OPT1 interface.  Like 192.168.2.1 and 192.168.2.0/24 for subnet?

AND - I feel dumb for not asking sooner. 
Buttttttt….

Did you go into services > DHCP server and activate DHCP on OPT1 interface?  Thats a show stopper if you haven't.

kejianshi

I feel sorta bad that this didn't occur to me earlier.  I have this habit when working with pfsense of assigning new interface cards and new IPs and subnets from the text menu on pfsense.

For instance, I'll drop in a new card.  Then I will go to the command line interface.  I'll select the # in the menu for assign interfaces.  From there, I'll assign the wan interface, lan and opt1.

Then I will go to the menu # for assign interface IPs.

I'll leave wan alone.  It picks up IP by DHCP by default.
I'll set LAN IP like 192.168.1.1, select 24 for subnet, and set IP range for DHCP like 192.168.1.100 - 192.168.1.200

then I'll assign OPT1 interface IP at the command interface also.
I'll set LAN IP like 192.168.2.1, select 24 for subnet, and set IP range for DHCP like 192.168.2.100 - 192.168.2.200

(Its actually better if you pick IPs other than 192.168.x.x because they are so common but for this example, I used them because they are familiar to all)

The reason I assign my interfaces again from the command interface is because it FORCES me to do all the things I should at once.

If you did not use the command interface menu but instead use web gui, then you must:

1.  install the card
2.  Add the interface and check the MAC to be sure the interface you added has MAC matching the card you expect.
3.  Activate the interface and set as static and set interface IP (192.168.2.1) and /24
4.  Go to services > DHCP server - Click the Tab for OPT1 and activate DHCP and set the range like 192.168.2.100 - 192.168.2.200

Only after doing these steps are you ready to set up your OPT1 firewall rule to pass all.
That rule should apply to protocol all, interface OPT1, source OPT1 net…  I think that part is already correct on your machine.

atakacs

Thanks for your patience…

Yes DHCP is up on OPT and I do get an IP in the expected IP range:

But can't ping the gateway (which is the OPT IP).

One additional potential issue is that we are here in a virtual (VMware) environment and the OPT NIC is completely virtual (i.e. "host only", connected to pfS and the Windows VM only, no physical NIC) but this has always worked fine so far for me (although these are my first steps with pfS).

If (virtually) connect the very same VM on the LAN card it works just fine.

kejianshi

"Can't ping the gatway which is the OPT IP"?

Shouldn't the gateway be the WAN IP?

Are you attempting to use OPT1 like a LAN interface or another WAN interface?

If you get internet through WAN and you plan to connect hosts via OPT1 then it should be set up nearly identically to your LAN interface.
That means that under interfaces > OPT1 you should have a static IP assigned and gateway should be set to "none".

So, maybe I am misunderstanding your reference to OPT and Gateway, but to me, it seems odd.  Could you clarify?

atakacs

"Can't ping the gatway which is the OPT IP"?
Shouldn't the gateway be the WAN IP?

My understanding is that within the context of the OPT subnet the gateway should be the OPT interface IP (and that's how it is set up by the DHCP server - 172.16.35.254 in my case, see my previous screenshot). As far as my networking knowledge goes any non local packets will be sent to 172.16.35.254 where they should be relayed further - presumably to the WAN gateway. Obviously if I can't ping 172.16.35.254 something is not working as expected…

Are you attempting to use OPT1 like a LAN interface or another WAN interface?

As another LAN.

If you get internet through WAN and you plan to connect hosts via OPT1 then it should be set up nearly identically to your LAN interface. That means that under interfaces > OPT1 you should have a static IP assigned and gateway should be set to "none".

That's what I'm having as far as I can tell:

kejianshi

Just wondering here, because I have never done it the way you have it and I'm not sure if its an issue or not.

you have the static IP of that OPT1 interface set as 172.16.35.254.  Is your LAN set up similarly with a .254 in the last digit?

I'm not sure if that makes a difference at all with pfsense, but I have always placed the static IP at .1

like 172.16.35.1 /24

Supermule

Have you enabled outbound NAT from the OPT1 interface?

kejianshi

Earlier, he has a post of the outbound nat set to auto.
I don't use AUTO anymore, but instead use on manual and set up outbound NAT for each LAN interface manually.
I was going to go there next if changing static IP to .1 vs .254 had no effect.

However, supposedly on "auto", outbound NAT should handle its self.

atakacs

Ok I have changed the OPT IP to .1 to no avail (it was picked up correctly by the DHCP client after a renew).

I have also tried to create a manual outbound NAT rule:

Still no cigar…

That being said - and I would certainly not call myself an expert in this area - I would think that even if outbound NAT was fully turned off the .1 address should still ping ?

Oh BTW my ARP tables:

172.16.35.100 00:0c:2948:b0 ManagementVM   OPT1
172.16.10.210 00:0c:29:6c:f8:91 pfSdc.local LAN
172.16.35.1 00:0c:29:6c:f8:9b OPT1
172.16.10.62 3c:07:54:27:ff:55 LAN
#.#.46.18 00:0c:29:6c:f8:87 WAN
#.#.46.17 78:19:f7:f5:ed:c1 WAN

Seems correct (last two are my WAN addresses that I have anonymised).

172.16.35.100 is the DHCP client on the OPT network - correct
172.16.10.210 is the LAN IP for the firewall - correct
172.16.35.1 is the OPT IP for the firewall - correct
172.16.10.62 is the LAN IP for the client machine I am using to configure - also correct

Anyway... what's next ?