Simple Setup with LAN, DMZ and WAN - Connection Problems

dubitat

Hi,
I am new to this forum and also new to pfsense. But it really seems to be a nice firewall system with much opportunities.

My pfsense is a kvm guest with three virtio network devices. DMZ is realized over a virtual switch, which is also connected to the other kvm guests.

pfsense 2.1.4 (I tried amd64 and i386)
WAN is PPPoE
LAN is DHCP with IP-Adress 10.0.1.1/24
DMZ has no DHCP but static IP-Adress 172.16.0.1/24

Now I have a problem with the connection of the kvm guests (Debian based, so no Windows firewall could do strange things) to the Internet. Ping to Internet hosts is no problem (for example the Google-DNS-Server 8.8.8.8). Ping works also for Domain-Names (google.com). But when I try a real connection (e.g. wget google.com) there could be no connection established.

The firewall rule which i created for the DMZ device is following (same pattern as LAN-standard rule):
Source: DMZ net
Destination: *
Ports: *

So afterwards i need of course a lock down of this rule but first i like to get it running. Has somebody here any idea, why the connection does not work but the ping could be sended and received?

Supermule

Enable outbound NAT for the DMZ interface….

Then it works

dubitat

Thank you for your fast reply. I had automatic nat enabled but now changed to manual nat. Result ist still the same: not working. Maybe I should have told, that i have also a problem to connect from LAN to DMZ (e.g. SSH or HTTP), but ping is also working.

I made a screenshot of the nat rules, maybe it will help.

Cheers,
dubitat

pfsense_nat.png_thumb

Supermule

Have you enabled outbound rules for DMZ interface under firewall -> Rules -> DMZ ??

dubitat

Yes, I made a screenshot of the rule. Without this rule, ping also does not work.

Cheers,
dubitat

pfsense_dmz_rules.png_thumb

Supermule

How does your interfaces look like?

Any gateways configured under routing and DMZ/LAN set to none?

dubitat

No both gateways are set to none (see screenshots). The two checkboxes below that screenshot are unchecked in both interfaces.

Thank you for your help so far.

Cheers,
dubitat

pfsense_interfaces_dmz.png_thumb

pfsense_interfaces_lan.png_thumb

Supermule

Where are you based?

dubitat

In Germany. Is there any locale setting which I forgot to set?

Supermule

No…. I just wanted to take a look via teamviewer and see if we missed something

dubitat

Well I do not think that we missed something, because it is a new fresh installation and I only configured the DMZ, LAN and WAN device. Do you think it could also be a KVM problem and not related to pfsense? But I have no idea how to check that. The connection between two virtual server in the same subnet (172.16.0.0/24) works without any problems. (I tested Ping and HTTP)

Supermule

Could be…

dubitat

Do you think trying 2.2 Alpha could help? Because I am new to pfsense I don't know whether I could use those images in a productive (home) environment.

Supermule

2.1.4 should work fine.

Why is not obvious…

dubitat

The interesting thing is that the packet filter (when I activate logging of firewall packets) passes the packets.

In this forum is another topic in which someone has a problem with DMZ and Internet connection (same error like mine). They also did not found any solution but he also could not send any pings so I hoped that my problem is different.

Cheers,
dubitat