I can't route through DMZ



  • I have 3 NIC: WAN, LAN and DMZ. WAN has public IP and my servers also have public IPs, so I have created VIPs for the servers and NAT 1:1. I also have created firewall rules at the DMZ interface.
    The problem I have, is that DMZ routes only if the mask "sees" the LAN interface. I suspect that routes though LAN interface (I see no traffic through the DMZ).
    If a change the mask back to /24 it doesn't work.



  • Please be more specific on your IPs for the DMZ and LAN. If the DMZ is part of a LAN supernet, then you have a routing problem.



  • You are right. The LAN has multiple subnets (for the labs) so the mask has a /20 range. One of these subnets is the same with the DMZ subnet. I first tried LAN addresses from 192.168.x.x and DMZ from 172.30.x.x but I couldn't route from DMZ. I have rules in NAT 1:1 for the DMZ interface to permit the outbound traffic but I don't know why the DMZ does not see the WAN. Only when I put static route with the WAN worked temporally.



  • Sometimes if you have included on subnet into other interface, you have to reboot to clear it up.
    Generally, you need to have a DMZ rule to allow traffic out. I know you are doing 1:1 NAT, but if you are using manual NAT, you might want to put a rule in there for that subnet.



  • I solve the problem with the DMZ routing, configuring persistence routes to my servers for the default gateway. Now I have DMZ addresses in the 172.30.x.x subnet and LAN addresses in the 192.168.x.x subnet. I didn't have problems with the rules. I wonder why pfsense doesn't route through an OPT interface and the server gateway has to be in a subnet that can reach either WAN or LAN. I forgot to check something or what? I have rules for Firewall, Aliases, NAT (Port Foreword or NAT 1:1, outbound), and for Virtual IPs.  :-[



  • Well, if your server have a LAN address and a DMZ address, then depending on how you want them to go out matters which one has the gateway assigned.
    A true DMZ will not have a LAN interface. It defeats the purpose of the DMZ. You can have both, there is nothing stopping you, but for the DMZ servers, the interface in the LAN will not have a default gateway set while the DMZ interface will.

    Many have DMZ or OPT interface setups with pfSense with no problem. I do, one for my phones, one for a guest wifi, and then I have the main LAN. All without having to create any persistent routes.


Log in to reply