Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound traffic from DMZ not routing to Internet

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 37.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CFMunster
      last edited by

      I've been banging my head against the wall on this issue for a couple of days and need some help. I am running 1.2 RC4 (just upgraded from RC3) on a Jetway C7 mobo with a 3x Gbps LAN daughterboard. I am using WAN, LAN, and OPT1 (DMZ) interfaces.

      Almost everything works, except that I have an intermittent problem with outbound traffic from the DMZ. I have a server in the DMZ right now. I can connect to OpenVPN on the firewall and get into my server via SSH and VNC no problem, but the server can't get out to the Internet. I have firewall rules set up the way I think they should be to allow outbound traffic, but nothing works. I can get to the firewall from the DMZ, but not past it.

      The weirdest part of the problem is that sometimes it works. Last night I was trying to debug the problem, and all of a sudden it started routing out. I was in the middle of using apt-get on my server to install some new packages, and midway through it just cut out and stopped routing packets. I haven't been able to get outbound traffic going since then. I took a laptop and plugged it into the DMZ subnet to check if the issue was with the server, but the laptop couldn't route traffic either.

      Here are my DMZ firewall rules:

      I am logging packets for the DMZ -> any but LAN rule (which I have duplicated on the WAN if) and it shows the packets being passed. What am I doing wrong?

      FYI, I am new to pfSense. I've used m0n0wall for a few years and wanted to upgrade to pfSense for the extra features.

      EDIT: Routing from LAN outbound works fine. I have the basic LAN -> any rule set up on the LAN if.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        @http://forum.pfsense.org/index.php/topic:

        If you want to have Internet access from multiple LAN subnets (on various OPTx interfaces) enable Advanced outbound NAT.
        You need to create a rule for every subnet you want NAT'ed.
        Alternatively you can change the source of single existing rule from LAN to "any" thus NAT'ing everything.
        This might create a problem for FTP with multiWAN
        more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810

        also:
        @http://forum.pfsense.org/index.php/topic:

        Rules are processed from top to down.
        If a rule catches the rest of the rules is no longer considered.
        Per default a "block all" rule is always in place (invisible below your own rules).

        –> all rules below your second rule are useless.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • C
          CFMunster
          last edited by

          @GruensFroeschli:

          @http://forum.pfsense.org/index.php/topic:

          If you want to have Internet access from multiple LAN subnets (on various OPTx interfaces) enable Advanced outbound NAT.
          You need to create a rule for every subnet you want NAT'ed.
          Alternatively you can change the source of single existing rule from LAN to "any" thus NAT'ing everything.
          This might create a problem for FTP with multiWAN
          more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810

          I set this up, still no love. I'm still showing the SINGLE:NO_TRAFFIC messages in states.

          also:
          @http://forum.pfsense.org/index.php/topic:

          Rules are processed from top to down.
          If a rule catches the rest of the rules is no longer considered.
          Per default a "block all" rule is always in place (invisible below your own rules).

          –> all rules below your second rule are useless.

          I knew the last rule was useless, but I thought rules from any -> DMZ would be used. I take it those rules are irrelevant on the DMZ if.

          If I can't get this sorted out today, I will be more than happy to pay someone to fix it for me. Please hit me off list cfmunster at gmail if interested in helping me retain my sanity.

          Rob

          1 Reply Last reply Reply Quote 0
          • C
            CFMunster
            last edited by

            UPDATE: I moved the server to the LAN and was able to get out from the server to the Net. Then I changed my 1:1 NAT settings from DMZ addresses to LAN addresses for my server, and I could no longer get out. So it seems the issue is the 1:1 NAT settings. In m0n0wall I used proxy ARP to solve this issue, but I don't see that panel in pfSense. What should I do?

            UPDATE: Ah, I got it. Proxy ARP is under Virtual IPs in pfSense. All working now.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.