Failure of connected to the internet from the DMZ
-
thank you for all :) Good man
-
hello ,
i try to make these rules but i didn't work like as i want
can u show me a capture screen for some zone ( wan , dmz vulture, dmz web, dmz Greensql …. )
thanks -
Do you have IPs yet? Or do you want me to jut make them to the whole zone?
Ok lets call your vulture box 192.168.206.100 because you need an IP to forward too.
Ok so this is clean pfsense out of the box.. I setup the interfaces to reflect your Zone numbers. Per my drawing, notice no Z1 because that is the internet.. Keep in mind you will have to forward 80 to your pfsense WAN IP.. 192.168.1.x in your drawing.
So see the attachements, you have your default rules out of the gate.. Nothing on wan, or any of your other segments. Only the first lan segment has a any any rule by default. This works and does not need to be changed. This is where you admin station is.
Now you need to create your nat (port forward) to your vulture reverse proxy. This creates wan rule to allow that traffic - lets say vulture box is 206.100
You then allow vult to talk to your web server network
You then allow web to talk to green (db proxy).
You then allow green to talk to db.This is a pretty convoluted setup and pretty pointless if you ask me.. Your hairpinning a lot of connections. Since your proxies only have 1 interface? If you had the ports and the IP we could lock the rules down more. But the below rules allow traffic between the segments as I understand what you want to do. TCP only..
Keep in mind there is no rules to allow any sort of dns.. So not sure how your boxes are resolving other devices they need to get to.. If pfsense is going to have all the fqdn you need to resolve then you would need rules on all the interfaces to all dns 53 (tcp/udp) to the pfsense interface on that segment. But with all your proxy use, I would assume your pointing directly to IP, etc.
I would never set it up like this.. I would put my reverse proxies in the "dmz" lets call it dmz external. Then with another interface on these proxies I would put those in say a dmz internal segment. This prevents the hairpinning, creates less segments.
-
thanks ;
in each mdz (zone ) i have just one . for example in dmzWeb i had ( 192.168.206.2 : url of my web application ) , dmz vulture ( just the proxy vulture which had an ip 192.168.205.131 ) .
the reverse proxy had a listening interface 192.168.205.131 and it connects to the webapplication ( 192.168.206.2 )
for all the dmz i use DHCP ! is it correct or i should put an appointed adress because in this zone just i have one ?
in my architecture did i need to work widh DNS ? i think no
for every zone i should let traffic to the net ? so how can i make this because some times if i need to modify the data so i should have access to internet from every zone .
after all rules ! i must block any any ? -
Well to add to internet for each zone. Create an alias for your zones, and then create a rule that says ! alias (not). See my attached dmz rules, where I allow dmz to talk to my ntp server on lan. And next rule I allow it to go anywhere else it might want, as long as its not my local networks.
The put this rule below your allow rule for your zone you want allow. Rule go from top to bottom, first rule to trigger wins.
So if your vult box for example is going to your web zone - bam that rule hits an says allow/pass - there you go. If your say going to 8.8.8.8 (google dns) then that rule you have would not fire and default deny would block. If you have more rules below and one says hey you can go anywhere you want as long as NOT these networks (your local networks) then any IP in that segment would be able to go to 8.8.8.8 or anywhere else on the internet that does not = what is in your alias that you put a NOT on with !
-
i didn't understand what you say to me very good ( So if your vult box for example is going to your web zone - bam that rule hits an says allow/pass - there you go. If your say going to 8.8.8.8 (google dns) then that rule you have would not fire and default deny would block. If you have more rules below and one says hey you can go anywhere you want as long as NOT these networks (your local networks) then any IP in that segment would be able to go to 8.8.8.8 or anywhere else on the internet that does not = what is in your alias that you put a NOT on with ! )
i understand : for example for dmz vulture i create rules :* pass to dmz web ( acces to my web application )
*pass to alias (8.8.8.8 ) dns of google: widh this rule i can access to internet
*block any anyis these correct ? in this order ?
-
Dude, this is not rocket science here.. Create an alias that has your other networks in it – see my picture.
Put it after the rule that says it can go to the web zone.
Now it can not go to any of those networks because its ! rule, ie I only allow you to go pass, if its ! one of these networks. Or you could create individual rules doing the same thing.
Keep in mind this is an example - you prob want to let it talk to your pfsense interface in that zone for dns.
-
hello,
when i creat an alias how i can put after ! alias in the rules ?
i had fixe some ip reverse proxy vulture 192.168.205.132
server web 192.168.206.2
server database 192.168.11.2
server Greensql 192.168.10.2
after i make the configuration of the NAT like the picture that u send it to me
and itry to make rules from dmz vulture to dmz web ( i disable rules that i made it before)
see here my attachements
But i cant' access no to dmz web no to internet
-
Where is a rule that lets it go to the internet? All you hae there is go 8.8.4.4/27 – where you came up with /27?? That is there google dns address kind of ;) But you don't allow dns - you only allow 80 and 443 tcp. DNS would be 53 udp and tcp.
And you allow it to 1 public IP, but looks like you tried to call it a network - but .11/24 is a HOST address not a network address.. How and the hell would that be the internet? And your double nat zone cable modem IP.. Again how would it go to say www.yahoo.com at
C:>ping www.yahoo.com
Pinging ds-any-fp3-real.wa1.b.yahoo.com [98.138.252.30] with 32 bytes of data:
For starters it can not look it in the first place, and then you have no rules allowing it to go to that IP even if it could look it up.
Click the NOT check box is how you get the ! to show up.
-
Thanks a lot , now i had configure it correctly .
Now i would like to access to my application ( Monapp.com ) from interface wan . so i create also one virtual machine which had ( 192.168.1.50 /24 ) but i can't access to my application !!
Note: i had put the NAT in the interface wan
what rules i should add it ? -
And where are you trying to access it from. The internet - did you forward that on your other router? So where is this VM, on your segment between your first nat and pfsense?
What IP are you trying to access from this client? What do your forwards look like?
-
all my work is in Vmware which i install pfsense and a machine for adminstrateur , machine for serverweb , a machine for server reverse proxy vulture, a machine for greenslq , a machine for server database ( Mysql )
and from pfsense i created 4 segemnts : dmzweb,dmzvulture,dmzgreensql,dmzbd, and sure i had lan (administrateur ) and inetface wan .
now i would like to access to my application from the interface wan . so i had install other machine in the same vmware and for network i use virtual network the same for wan
wan (192.168.1.3/24)
newmachine(192.168.1.50 /24)
iwould like from this new machine i can access to my application ( Monapp.com ) -
And again - what does your forward look like, and your wan rules in pfsense - when you created the forward it should of auto created the wan rule.
And since your wan is private - did you turn off block private networks which is on by default.
Also problem users have quite often with forwarding traffic is the local firewall on the host they are forwarding too, etc.
Please post your nat, your wan rules and ipconfig or ifconfig/network settings from the box your forwarding to.
-
ok see my attachements
-
Ok your nat and wan look ok - what IP are you trying to access.. You do understand you have to access pfsense wan IP, not the IP of your vult or web server.
Also what is in your aliases – There is no reason to have a 8.8.4.4 rule if allow it to go to the internet because you NOT your local networks.. Please post what is in your aliases.
And what are your rules in dmzweb? Just to have a full listing.
-
i use 8.8.4.4 just to access to the net
yes i try 192.168.1.3 ( wan ip ) because i know that with Nat it will take me to the dmz vulture
-
well in your aliases those are not networks.. A network would be 192.168.1.0/24 when you use the one it would be how you describe a host address. If you wanted to clearly say its a IP then /32 would be the mask. Networks are always the wire address of the network with a /24 the last octet would be 0 always.
My point of asking 8.8.8.4 is why do you have that rule - its pointless..
Does 8.8.8.4 fall into any of your NOT rule there? NO so it would be allowed, and that rule below your ! rule is pointless and would never be seen.
Also your Proxy is listening on 80? Seems odd – so your hitting from a box on your 192.168.1.0/24 network lets say .100 and he opens his browser and goes to http://192.168.1.3, and that gets forwarded to your proxy (vulture) that says hey I want to go to http://192.168.1.3 -- why would he send that over to your web server on 192.168.206.2 ??
I would have to read up on this vulture software - but for something like this to work, you would have to have your client on your 192.168.1.0/24 network resolve http://www.domain.tld to 192.168.1.3, then your proxy should resolve www.domaint.tld to 192.168.206.2.. (your web server)
-
so in the alias ! i should make them x.x.x.0 ? to be network ??
if i didn't put 8.8.4.4 in all interfaces dmz so i can't access to the net :( that's why i added it and to be able to surfer in net .
about the reverse proxy : he can had many interfaces that every on connect to an application.
interface 192.168.205.2 –---> application 192.168.206.2yes my client had 192.168.1.50
now i would like that 192.168.1.0/24 network resolve http://www.domain.tld to 192.168.1.3, then your proxy should resolve www.domaint.tld to 192.168.206.2 !
how can oi make it ? and what rule i shoud added ??
thanks -
There is no rule to add for resolving - what does your clients on 192.168.1.0 use for dns? This needs to resolve www.domain.tld to your 192.168.1.3 - and if your devices on your vulture network use pfsense then you need to create a host override in dns forwarder. Or you could use host files.
your rule that says !youralias networks allow them to go to anywhere else BUT there, so that rule allows them to go to 8.8.4.4
Yes you should make them x.x.x.0/24 to be a network.
yes the reverse proxy needs to be able to resolve the web servers iP for any domains you will be hosting.
-
thank you for all your help :)
i use 192.168.1.1 ( DNS for my my client )
f i configure host file ( in debian nano /etc/hosts ) i will add the host of wan 192.168.1.3 or of my application '192.168.206.2 or that vulture ?
