Failure of connected to the internet from the DMZ

henze

hello :)
I try to work with Pfsense on VMware with 4 network cards for this configuration.
Lan: 192.168.2.1
wan 192.168.3.1
dmzweb 192.168.205.1
dmzbd 192.168.10.1.

with lan interface it works but since the machine dmzbd or dmz web i can't log on internet. they pre has a ugly ip address widh dhcp but I can not connect to the internet.
Ps: I didn't configure the rules of my firewall again

johnpoz

Well the first lan that gets created will have a default any any rule on it that allows devices on that network to go anywhere they want, internet - other lan segments.

But when you bring up other interfaces on pfsense, opt? that you call dmzweb and dmzbd they will have no rules.  So you have to create the firewall rules on these interfaces to allow the traffic you want.  Any Any works to get everything tested, then you can mod the rules to suite your needs.  Allow access to internet, but not your lan for example for dmz segments.

henze

Thank you for your answer ! I added a rules for opt1 and opt2 as you told me but it is the same error I can not log on the internet. did you thing that maybe cause I did not add VMnet at vmware?

johnpoz

Lets see the rules you configured on opt1 and 2 and how are you connecting what to what in your vm setup?  I take it this is vmware workstation, or is this a esxi box?

henze

hey , yes it works now i can acces to the internet
but

i would like to configure rules of the interfaces like this :
source–----------------->destination                 
wan                              adressip pfsense
adress ip pfsense          dmz web         
dmz web                        dmz bd , wan

i didn't know how to make these rules ! should i configure only source or destination ? thanks to explain to me

johnpoz

Why would you need rules for wan to pfsense wan IP?  Are you wanting to forward traffic from wan to the dmz segments?  If so create the forward and it will auto create the wan rules required to allow your forward.

That seems what your trying to do in your 2 first lines.

As to dmzweb to dmzdb..  On dmzweb interface set the destion IP or network you want to allow access to and the ports.  As to dmz to wan, normally put in rule that says source dmzweb can talk to wan network on whatever ports you want.

Can post of pictures if need be.

henze

i should configure wan rules ! because it is necessary that all traffic from wan only can acces to dmz web ( and no dmz bd ) so that's why i ask for this  . traffic come from wan to pfsense to dmzweb and after from dmz web to dmz bd .
should i configure only interfaces -rules ?

johnpoz

By default NOTHING can access anything from the wan, this is the default out of the box..  If you want ports open from wan to something on your private side then you create a port forward.  Are you wanting to do some sort of 1:1 Nat?

You show wan as private 192.168.3.1 – are you doing NAT or not.. by default pfsense NATS..  Is this wan the internet or some other segment in your network?  For anything to talk to dmz anything from wan side of pfsense.. They would first have to get to 192.168.3.1 -- since that is private, the device in front of pfsense natting 192.168.3.0/24 to public would have to forward traffic to pfsense, so that pfsense could forward it on.

If you drew up your network I would be happy to work you through whatever your trying to accomplish.

You don't route traffic through dmz web to dmz db..  (unless you have some router dmzweb?) Do you mean you want devices in dmz web to access stuff in dmz db?

henze

hey  i change the architecture to this
look at  the flow matrix ( empty box that's mean block )

| SOURCE/Destination | Zone1 : internet  | Zone2: Fw Réseau :PFsense    | Zone3:DMZ vulture | Zone4 Dmz web  | Zone5:Dmz Greensql  |   ZonE6DMZ database  | Zone7administrateur  |
| Zone1:internet  |     |     TCP 80 tcp 443 |     |     |     |     |     |
| Zone2: Fw Réseau:Pfsense  |     |     |   Tcp 80 tcp 443  |     |     |     |     |
| Zone3 dmz vulture  |     |     |     |   TCP80 TCP443  |     |     |     |
| Zone4:dmzweb  |     |     |     |     | PORT BD 3306    |     |     |
| Zone5: Dmz vulture  |     |     |     |     |     |   Port bd 3306  |     |
| zone6: dmz bd  |     |     |     |     |     |     |     |
| Zone 7 : Administrateur    |   all |   all |   all  |   all  |   all  |     all |     |

henze


johnpoz

My french is a bit rusty.. But what is zone 2 suppose to be exactly? Réseau is network is it not?

Zone2: Fw Réseau:Pfsense

And are you wanting these rules to only allow access to the specific IPs you list, or the whole network?

So tcp 80 and tcp 443 is very clear, but a bit confused by "Port bd 3306"  is that a tcp port, udp?

Also you call zone 1 internet, but on the drawing you show wan with rfc1918 address space?  This is not internet ;)  So pfsense wan IP is 192.168.1.3?  is there stuff on 192.168.1.0/24 ??  That needs to talk to stuff on your network?  You show block for all your zones to internet?  Are we assuming these networks can talk to the pfsense interfaces on that segment, what ports?  dns?

If pfsense wan is rfc1918, and you want http and https to talk to whatever this "Zone2: Fw Réseau:Pfsense " is?  Is that 192.168.1.3??  What is forwarding this traffic to the rfc1918 address, is that really from the internet something has to forward that to the pfsense private address.

You say you want internet (z1) to talk to z2, and z2 can talk to z3 – do you really mean you want z1 to talk to z3?  Is Z2 this 192.168.1.0/24 network?

Also a bit confused about your use of firewall symbol on other devices?  Does that mean there is other network segments behind it?

Where is this DMZ greensql in your table?  You have DMZ Vulture twice?  Are the IPs you are showing the devices on these segments IP or pfsense IP?  You show an admin box with 2.1, but then you show 2.1 on the that might be pfsense IP for that network segment?

edit:
So I drew up your network with a few question marks.  Can you fill them in so we are clear.  See attached - also from looking up vulture its french didn't see english but take it is your WEBSSO (web single signon)  And looking at greensql, this looks to be a firewall for sql servers.  So your http talks to this greensq box, which in turn talks to your DB server.  If you can clear up the IPs  I can show you example of how I would do this.  But I would think web needs to be able to talk to vulture, not vulture talking to web srv.

henze

zone2 : FW Réseau Pfsense ; I mean the interface 192.168.1.3  ( not to forget that i work widh  Vityual machine ;)  192.168.1.1 is the interface of my router in my house
dmz web : where i have my website hosted
to access to database  the port should be 3306 (Mysql database )
Zone 1 : ineternet . I mean the traffic that comes from my router
I want to explain otherwise; I HOSTED a website (in web dmz) so I put a firewall Vulture that his role to protect  my application ( it is located in dmz vulture) so whatever Requette to enter to my website :

1. pfsense transfer  the Taffic from  my physical machine ( 192.168.1.0 /24 ) to dmz vulture(192.168.205.1 )
2. after some rules by vulture  so sending traffic to dmzWeb  (pfsense who transfer traffic from dmz vulture to dmzweb )
3. if the request  wants need to access to  the database so  from dmz web to dmzGreensql (it is firewall iof database that analyzes Requette and transfer to the dmz bd.) . Also Pfsense who takes transfer this traffic.

I hope that u will understand what i mean exactly

johnpoz

see my edit - added picture.

So is vulture just SSO or is it a reverse proxy?

henze

yes your picture it is coorect and tha's what i mean exactly . now just to make the rules for the traffic as i told you before  in the flow matiw
Vulture is an application firewall effectively protecting Web applications.
Based on Reverse Proxy technology, Vulture is barrier between applications and the outside world.

henze

for your question  X.X.X. ? i use DHCP  so it takes ip automaticly

johnpoz

That is NOT a good idea for something your going to be using as proxy ;)  Servers should always have the same address - set a reservation if you want.  For starters its easier to right the rule(s) if you know what IPs to send all to and from.

henze

So how can i configure  ?  can u explain to me please  :) thanks for all your answer

johnpoz

Well in pfsense just set a IP via its mac (reservation or sometimes known as static dhcp), or on the machine itself just set a static.

Go to the bottom of the page for your dhcp server and set static

See for example her are mine for my lan segment

henze

yes i understand but my problem until now is how to work widh traffic !
how to configure pfsense and traffic management  as  the architecture which I sent to you
what i should do in the interface  from interface Zone1 , Interface …..................... Zone 7

johnpoz

Well from z1 to whatever proxy you would create a port forward to the reverse proxy.  Then from that zone you would create a rule that allows that reverse proxy to talk to where you want it to talk.

So for example port forward port 80 to your reverse proxy, then from that interface create rule that allows its IP to talk to the IP of your webserver on port 80 I would assume.  This is going to end up quite convoluted.. I have to read up on the 2 softwares you wanting to use - do they normally have more than 1 interface.  Your hairpin'ing these connections - connection goes back out the same interface it came in.  One Arm Bandit is another term for this, etc.

I can draw up the rules when I get a chance - but having some IPs to work with will make it clearer and easier to understand.