Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic DMZ routing

    Routing and Multi WAN
    1
    1
    925
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Grey100
      last edited by

      Hi there,

      I'm having some serious bother setting up a DMZ using a transparent bridge.

      My aim is to produce a DMZ network on which I can provide public IPs to my servers. I have been assigned a /29:

      xxx.xxx.184.192 - Network
xxx.xxx.184.193 - Gateway (provided by my ISP)
xxx.xxx.184.194 - pfSense box
xxx.xxx.184.195 - reserved for Server 1
xxx.xxx.184.196 - reserved for Server 2
xxx.xxx.184.197 - reserved for Server 3
xxx.xxx.184.198 - reserved for Server 4
xxx.xxx.184.199 - Broadcast

      WAN ---> pfSense (xxx.xxx.184.194) ---> LAN (192.168.1.1/24) ---> irrelevant
                                   ---> DMZ (192.168.145.1)  ---> Server 1 (xxx.xxx.184.195)
                                                             ---> Server 2 (xxx.xxx.184.196)
                                                             ---> Server 3 (xxx.xxx.184.197)
                                                             ---> Server 4 (xxx.xxx.184.198)

      First up, I disabled the pfSense firewall (in the advanced options - "Disable all packet filtering.") for debugging purposes.

      I thenfollowed the instruction at http://blog.cycomptec.com/bridge-pfsense-firewall-public-private-ips-connected-dmz.
      I set the DMZ interface to have "None" IPv4 configuration type, and assigned 192.168.145.1 to the DMZ-Bridge interface (called BridgeDHCP in the guide).

      I then attached Server 1 to the DMZ network and assigned it a public IP and set it's default route to be the pfSense box.
      This gives us the following:

      
root@box:~# ifconfig eth0 xxx.xxx.184.195 netmask 255.255.255.248

root@box:~# route add default gateway xxx.xxx.184.194

root@box:~# ifconfig
eth0	Link encap: Ethernet	HWaddr [removed]
	inet addr: xxx.xxx.184.195 Bcast xxx.xxx.184.199 Mask: 255.255.255.248
	[...]

root@box:~# route
Kernal IP routing table
Destination	Gateway		Genmask		Flags	Metric	Ref	Use	Iface
default		xxx.xxx.184.194	0.0.0.0		UG	0	0	0	eth0
127.0.0.1	*		255.255.255.255	UH	0	0	0	lo
xxx.xxx.184.192	*		255.255.255.248	U	0	0	0	eth0

      At this point, I can ping the pfSense public IP (xxx.xxx.184.194) and it's private IP (192.168.145.1). I cannot ping the ISP provided gateway (xxx.xxx.184.193).

      To debug, I ran a traceroute. Packets seem to be getting as far as the pfSense box then stopping.

      
root@box:~# traceroute 8.8.8.8
traceroute to 8.8.8.8(8.8.8.8), 30 hops max, 38 byte packets
 1	xxx.xxx.184.194 (xxx.xxx.184.194)	0.296ms	0.234ms	0.184ms
 2	*	*	*
 3	*	*	*

      Does anybody have any idea why my packets are stopping, and how I can get my servers talking to the wider internet?

      Edit: it gets worse…
      It appears that this configuration is unstable for some reason and Server 1 can only ping the pfSense box intermittently and traceroutes are failing on hop 1 now. This may be a symptom of poor configuration or a whole other issue, but I feel it is relevant.

      Thanks!

      • Grey
      1 Reply Last reply Reply Quote 0
      • First post
        Last post