Outbound traffic from DMZ not routing to Internet



  • I've been banging my head against the wall on this issue for a couple of days and need some help. I am running 1.2 RC4 (just upgraded from RC3) on a Jetway C7 mobo with a 3x Gbps LAN daughterboard. I am using WAN, LAN, and OPT1 (DMZ) interfaces.

    Almost everything works, except that I have an intermittent problem with outbound traffic from the DMZ. I have a server in the DMZ right now. I can connect to OpenVPN on the firewall and get into my server via SSH and VNC no problem, but the server can't get out to the Internet. I have firewall rules set up the way I think they should be to allow outbound traffic, but nothing works. I can get to the firewall from the DMZ, but not past it.

    The weirdest part of the problem is that sometimes it works. Last night I was trying to debug the problem, and all of a sudden it started routing out. I was in the middle of using apt-get on my server to install some new packages, and midway through it just cut out and stopped routing packets. I haven't been able to get outbound traffic going since then. I took a laptop and plugged it into the DMZ subnet to check if the issue was with the server, but the laptop couldn't route traffic either.

    Here are my DMZ firewall rules:

    I am logging packets for the DMZ -> any but LAN rule (which I have duplicated on the WAN if) and it shows the packets being passed. What am I doing wrong?

    FYI, I am new to pfSense. I've used m0n0wall for a few years and wanted to upgrade to pfSense for the extra features.

    EDIT: Routing from LAN outbound works fine. I have the basic LAN -> any rule set up on the LAN if.



  • @http://forum.pfsense.org/index.php/topic:

    If you want to have Internet access from multiple LAN subnets (on various OPTx interfaces) enable Advanced outbound NAT.
    You need to create a rule for every subnet you want NAT'ed.
    Alternatively you can change the source of single existing rule from LAN to "any" thus NAT'ing everything.
    This might create a problem for FTP with multiWAN
    more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810

    also:
    @http://forum.pfsense.org/index.php/topic:

    Rules are processed from top to down.
    If a rule catches the rest of the rules is no longer considered.
    Per default a "block all" rule is always in place (invisible below your own rules).

    –> all rules below your second rule are useless.



  • @GruensFroeschli:

    @http://forum.pfsense.org/index.php/topic:

    If you want to have Internet access from multiple LAN subnets (on various OPTx interfaces) enable Advanced outbound NAT.
    You need to create a rule for every subnet you want NAT'ed.
    Alternatively you can change the source of single existing rule from LAN to "any" thus NAT'ing everything.
    This might create a problem for FTP with multiWAN
    more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810

    I set this up, still no love. I'm still showing the SINGLE:NO_TRAFFIC messages in states.

    also:
    @http://forum.pfsense.org/index.php/topic:

    Rules are processed from top to down.
    If a rule catches the rest of the rules is no longer considered.
    Per default a "block all" rule is always in place (invisible below your own rules).

    –> all rules below your second rule are useless.

    I knew the last rule was useless, but I thought rules from any -> DMZ would be used. I take it those rules are irrelevant on the DMZ if.

    If I can't get this sorted out today, I will be more than happy to pay someone to fix it for me. Please hit me off list cfmunster at gmail if interested in helping me retain my sanity.

    Rob



  • UPDATE: I moved the server to the LAN and was able to get out from the server to the Net. Then I changed my 1:1 NAT settings from DMZ addresses to LAN addresses for my server, and I could no longer get out. So it seems the issue is the 1:1 NAT settings. In m0n0wall I used proxy ARP to solve this issue, but I don't see that panel in pfSense. What should I do?

    UPDATE: Ah, I got it. Proxy ARP is under Virtual IPs in pfSense. All working now.


Locked