PfSense bastion / choke



  • Hi mates,
    I am working on a bastion / choke configuration for my dmz:

    Internet–-pfsense bastion----DMZ-----pfsense choke-----LAN

    The pfsense bastion is able to check for updates, but the choke one not, even if it is able to ping internet hosts (such as 8.8.8.8 ) from dmz interface and lan interface.
    I assume it is something about the loopback interface, that it isn't able to ping anything.
    Routes are correct, the default gateway for the dmz is the choke firewall. DMZ hosts can browse internet and/or ping internet hosts.

    Thanks anyone

    Andrea



  • @pama:

    Hi mates,
    I am working on a bastion / choke configuration for my dmz:

    Internet–-pfsense bastion----DMZ-----pfsense choke-----LAN

    The pfsense bastion is able to check for updates, but the choke one not, even if it is able to ping internet hosts (such as 8.8.8.8 ) from dmz interface and lan interface.
    I assume it is something about the loopback interface, that it isn't able to ping anything.
    Routes are correct, the default gateway for the dmz is the choke firewall. DMZ hosts can browse internet and/or ping internet hosts.

    Thanks anyone

    Andrea

    Now I am able to trace route from dmz, lan and loopback interface, and dns reply to all but I am always not able to check for updates and/or install packages….



  • It is me again
    Need urgent help!!!
    DMZ works like a charm but….
    DMZ gateway is the bastion firewall
    From lan I cannot reach any DMZ host but only if I don't ping before.

    Is there a sort of "keepalive" port?

    Thanks

    Andrea


  • Netgate Administrator

    How are your subnets arranged? Either of these pfSense installs transparent?

    Do you have the correct update URL set in System: Firmware: Updater Settings: ?

    Try this: https://doc.pfsense.org/index.php/Controlling_IPv6_or_IPv4_Preference

    Steve