Can't communicate with server behind DMZ interface from LAN.

Andyrue · Apr 17, 2014, 6:41 PM

I'm switching from Untangle, and one of the things that I can't seem to get working on pfSense is one way communication from LAN to DMZ interface. I didn't do anything special in Untangle, so I'm guessing it did something automagically in the background or I'm just missing something.

I have my 10.111.106.0/24 LAN and if I ping 192.168.77.9 (a server in the DMZ) I get no response. This works if I change my gateway back to Untangle (I'm dual running right now for testing, both are on the same LAN and DMZ.) At first I thought it was because the DMZ server had Untangle set as its default route, but it has a WAN address as its default route, the routing table on the DMZ server shows 192.168.77.0/24 goes to eth2, so I don't think it's a routing issue on the DMZ server. There is no DHCP server on either the Untangle or pfSense DMZ interface, everything is statically set.

I have allow any traffic rules on both DMZ and LAN right now for testing.

I can ping the DMZ server from the Diagnostics-> Ping interface successfully for what that means.

Do I need to create an Outbound NAT rule on pfSense to make this work? What does it need to look like?

Thanks for helping me understand the problem I'm having.

viragomann · Apr 17, 2014, 8:40 PM

If you have allowed all traffic on both, LAN and DMZ, to the other and you have no gateway configured in theese subnets on pfSense the ping must work.
Have you set the protocol to "any" in theese rules? If it is on TCP ping fails.

Andyrue · Apr 17, 2014, 9:29 PM

I've verified I have no gateway set for either the LAN or DMZ interface and that the rules are allowing any type of packet from anywhere to anywhere on both interfaces. If it was a blocking issue, wouldn't I see it in the Firewall log anyway?

I did a packet capture on both LAN and DMZ and I can see the echo request on both but no replies to be found.

10.111.106.45 > 192.168.77.9: ICMP echo request

So it's apparently going out the DMZ interface, right? What might be the reason for the server not responding properly when my computer is set to the pfSense gateway and working when it's set to the Untangle gateway? Seems like a routing issue, but I'm not sure what's wrong.

Thanks for your help.

Andyrue · Apr 17, 2014, 10:12 PM

Doing some further packet sniffing, I found the DMZ server is getting the packet and replying, then it is apparently going to the Untangle server.

I see the Echo.
I see the Reply.

Then 192.168.77.1 (Untangle IP) > 192.168.77.9
ICMP type: Destination unreachable
Error: Port unreachable

So, what am I missing here?

sheepish
Ok, I don't know how I missed this, but there was in fact a route on the server pointing it back to 192.168.77.1 (Untangle) Everything makes sense now!

joeyski · Jan 21, 2015, 10:22 AM

I had this same issue just recently.

I can ping the DMZ interface IP from LAN, but cannot ping hosts behind DMZ interface.

This was fixed by fixing the mistake I made during IP assignment in DMZ interface.

In DMZ static IP configuration i assigned a subnet of /32 which should be /24.

After the fix i can now ping hosts behind DMZ interface.