4. Basic DMZ routing

Basic DMZ routing

  • G

    Hi there,

    I'm having some serious bother setting up a DMZ using a transparent bridge.

    My aim is to produce a DMZ network on which I can provide public IPs to my servers. I have been assigned a /29:

    xxx.xxx.184.192 - Network
xxx.xxx.184.193 - Gateway (provided by my ISP)
xxx.xxx.184.194 - pfSense box
xxx.xxx.184.195 - reserved for Server 1
xxx.xxx.184.196 - reserved for Server 2
xxx.xxx.184.197 - reserved for Server 3
xxx.xxx.184.198 - reserved for Server 4
xxx.xxx.184.199 - Broadcast

    WAN ---> pfSense (xxx.xxx.184.194) ---> LAN (192.168.1.1/24) ---> irrelevant
                                   ---> DMZ (192.168.145.1)  ---> Server 1 (xxx.xxx.184.195)
                                                             ---> Server 2 (xxx.xxx.184.196)
                                                             ---> Server 3 (xxx.xxx.184.197)
                                                             ---> Server 4 (xxx.xxx.184.198)

    First up, I disabled the pfSense firewall (in the advanced options - "Disable all packet filtering.") for debugging purposes.

    I thenfollowed the instruction at http://blog.cycomptec.com/bridge-pfsense-firewall-public-private-ips-connected-dmz.
    I set the DMZ interface to have "None" IPv4 configuration type, and assigned 192.168.145.1 to the DMZ-Bridge interface (called BridgeDHCP in the guide).

    I then attached Server 1 to the DMZ network and assigned it a public IP and set it's default route to be the pfSense box.
    This gives us the following:

    
root@box:~# ifconfig eth0 xxx.xxx.184.195 netmask 255.255.255.248

root@box:~# route add default gateway xxx.xxx.184.194

root@box:~# ifconfig
eth0	Link encap: Ethernet	HWaddr [removed]
	inet addr: xxx.xxx.184.195 Bcast xxx.xxx.184.199 Mask: 255.255.255.248
	[...]

root@box:~# route
Kernal IP routing table
Destination	Gateway		Genmask		Flags	Metric	Ref	Use	Iface
default		xxx.xxx.184.194	0.0.0.0		UG	0	0	0	eth0
127.0.0.1	*		255.255.255.255	UH	0	0	0	lo
xxx.xxx.184.192	*		255.255.255.248	U	0	0	0	eth0

    At this point, I can ping the pfSense public IP (xxx.xxx.184.194) and it's private IP (192.168.145.1). I cannot ping the ISP provided gateway (xxx.xxx.184.193).

    To debug, I ran a traceroute. Packets seem to be getting as far as the pfSense box then stopping.

    
root@box:~# traceroute 8.8.8.8
traceroute to 8.8.8.8(8.8.8.8), 30 hops max, 38 byte packets
 1	xxx.xxx.184.194 (xxx.xxx.184.194)	0.296ms	0.234ms	0.184ms
 2	*	*	*
 3	*	*	*

    Does anybody have any idea why my packets are stopping, and how I can get my servers talking to the wider internet?

    Edit: it gets worse…
    It appears that this configuration is unstable for some reason and Server 1 can only ping the pfSense box intermittently and traceroutes are failing on hop 1 now. This may be a symptom of poor configuration or a whole other issue, but I feel it is relevant.

    Thanks!

    • Grey
    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy