Dual Wan - Static IPs - DNS howto for DMZ help



  • Hello everybody!

    i ask for some help in configuring this scenario. I looked alot in the forum but nothing could help me.
    I'd like to try pfsense for its builtin multiwan capabilities instead of the actual Cisco and other expensive stuff  ;)
    Maybe this can be useful like a tutorial also for someone else :P

    Great product with great functionality anyway! :)
    Thanks.

    –-----------
    Configuration

    PFSENSE 1.2RC3 + DNSpackage not configured yet

    WAN 89.xxx.xxx.126
    WAN1 81.xxx.xxx.50
    LAN 192.168.0.xxx
    DMZ 192.168.1.xxx

    DNS1 213.xxx.xxx.43 (wan isp dns)
    DNS2 151.xxx.xxx.100 (wan1 isp dns)

    NAT rules for port forward created:
    (for example)
    wan  | tcp  |  80  |  nat-ip 192.168.1.1  |  int.port 80
    wan1  | tcp  |  80  |  nat-ip 192.168.1.1  |  int.port 80
    wan1  | tcp  |  25  |  nat-ip 192.168.1.2  |  int.port 25
    wan1  | tcp  |  110|  nat-ip 192.168.1.2  |  int.port 110


    needs & problem

    needs:
    let servers in DMZ to expose their services(http, pop3, smtp) , some on WAN connection, others on WAN1.    ----PARTIALLY WORKING----
    let servers in DMZ to expose http service through WAN or WAN1 (ex. websitehightraffic on WAN websitelowtraffic on WAN1) ----WORKING----
    let servers in DMZ do DNS resolution in order to use correctly SMTP for sending emails through one connection (ex.WAN1) and access internet.----NOT WORKING----
    let lan users access internet trough WAN.----WORKING----
    let lan users access certain servers in dmz.----NOT TESTED YET----

    problem:
    let servers in DMZ do DNS resolution for SMTP usage : servers cant use dns, internet surfing from servers is not possible, dns servers ping from DMZ is not possible, nslookup is not working but Dns resolution from LAN is ok.
    I already tried some settings:
    -static routes for every dns used
    -a firewall rule on DMZ that permits all outgoing traffic :
    Proto |  Source  |  Port    |  Destination | Port |  Gateway
    tcp    | DMZnet |  all      |  Any          | all    |default
    and
    TCP  |DMZnet  |25 SMTP |  Any          |all    |  WAN1gateway --for having smtp traffic forced on wan1--

    Nothing of these is working and now i'm a little bit confused :'( Maybe somebody can help me in a step by step guide ???
    Thanks,

    Angelo





  • Proto |  Source  |  Port    |  Destination | Port |  Gateway
    tcp    | DMZnet |  all      |  Any          | all    |default
    and
    TCP  |DMZnet  |25 SMTP |  Any          |all    |  WAN1gateway –for having smtp traffic forced on wan1--

    should be

    Proto |  Source  |  Port    |  Destination | Port |  Gateway
    TCP  |DMZnet  | all |  Any          |25 SMTP    |  WAN1gateway –for having smtp traffic forced on wan1--
    tcp    | DMZnet |  all      |  Any          | all    |default

    Note the smtp rule should be above the other. The way you had it means that the gateway was default for all packets and the smtp rule would never get used.



  • Hello everybody,

    thank you so much for your help.

    I'm sure it's something that i've misconfigured and I will try the suggested configuration during weekend.
    Will let you know asap.

    Angelo



  • @sai:

    Proto |  Source  |  Port    |  Destination | Port |  Gateway
    tcp    | DMZnet |  all       |   Any          | all    |default
    and
    TCP   |DMZnet  |25 SMTP |  Any          |all     |  WAN1gateway –for having smtp traffic forced on wan1--

    should be

    Proto |  Source  |  Port    |  Destination | Port |  Gateway
    TCP   |DMZnet  | all |  Any          |25 SMTP     |  WAN1gateway –for having smtp traffic forced on wan1--
    tcp    | DMZnet |  all       |   Any          | all    |default

    Note the smtp rule should be above the other. The way you had it means that the gateway was default for all packets and the smtp rule would never get used.

    Yes, the smtp rule was above the other but it was not correct.

    Anyway, i fixed the problem of DMZ servers not being able to access internet.
    Outbound NAT was enabled but it didn't work. After upgrading with the last Stable 1.2 release, it has started to work. ???
    SMTP is working now thanks to DNS resolution made by enabling Outbound NAT for DMZ net.

    The only remaining problems are:
    1.FTP is working great but only trough first WAN connection (i've read this limitation will be possibly fixed on future release…is it? ???)

    2.Servers in DMZ cannot communicate between them. In particular they cannot relay emails each other (before, the same scenario with ipcop wasn't a problem...)
      For example:
      SMTP emails sent from domains on mailserver1 to outside world (ex. hotmail.com) are delivered correctly
      SMTP emails sent from domains on mailserver1 to domains on mailserver1 or mailserver2 are NOT delivered.

    I think it's a problem related to internal DNS resolution.
    Dns servers are external, one from each ISP.

    Somebody has any suggestions?

    "DNS forwarder" disabled, "Disable NAT Reflection" unchecked.

    Thank you so much for your help. :)

    Angelo



  • @treenet:

    2.Servers in DMZ cannot communicate between them. In particular they cannot relay emails each other (before, the same scenario with ipcop wasn't a problem…)
      For example:
      SMTP emails sent from domains on mailserver1 to outside world (ex. hotmail.com) are delivered correctly
      SMTP emails sent from domains on mailserver1 to domains on mailserver1 or mailserver2 are NOT delivered.

    I think it's a problem related to internal DNS resolution.
    Dns servers are external, one from each ISP.

    Somebody has any suggestions?

    "DNS forwarder" disabled, "Disable NAT Reflection" unchecked.

    Thank you so much for your help. :)

    Angelo

    you are correct it is a DNS problem. your DMZ servers are getting the real ip address of each other , but from within the DMZ you cannot access the real ip address, you can only access the private ip address

    see http://doc.m0n0.ch/handbook/faq-lannat.html or enable NAT reflection



  • Hello Sai,

    thanks for your reply.

    "Disable NAT reflection" is unchecked, and so is enabled. Otherwise i'm not able to acces internet from the servers in dmz nor let SMTP make dns resolution.

    what i'm not understanding (i'm not very confident with routing :P) is how to make things works, considering that before i was running an ipcop box and servers in dmz were able to relay traffic locally with the same configuration and almost the same firewall rules that i use now.

    Can the dns forwarder help me? it's all the day that i'm working on it and i'm going mad :'(

    All your help and suggestions or possible workarounds to try will be very appreciated. Thank you. :o



  • I have never used the nat reflection no help…

    say your mailserver is mail90.tree.net with real ip address  200.x.c.v and is natted to 192.168.4.5 in your DMZ

    from your DMZ. LAN when you ping mail90.tree.net you ping ip address 200.x.c.v

    in the web gui -> click on DNS forwarder ; make sure that it is enabled  [Enable DNS forwarder]

    where it says "Host  Domain  IP  Description" click on a + icon
    enter these settings:
    Host : mail90
    domain: tree.net
    ip address:  192.168.4.5
    desc: mailserver mail90

    now from your DMZ. LAN  when you ping mail90.tree.net you ping ip address 192.168.4.5
    note: in your mailserver your DNS setting should be the pfsense firewall



  • hello sai,

    i tried with dns forwarder enabled but it's not working  ::)
    i also changed the primary dns server in the servers with the address of pfsense.

    it seems that pfsense doesn't take care of the dns forwarder.

    if i ping the host in DMZ from another srver in dmz, instead of resolving the name mail90.tree.net into 192.168.4.5, i see the public address… i'can't believe :o

    there's something wrong in my configuration that i cannot find out. ???

    thank you for your help.



  • @treenet:

    hello sai,

    i tried with dns forwarder enabled but it's not working  ::)
    i also changed the primary dns server in the servers with the address of pfsense.

    it seems that pfsense doesn't take care of the dns forwarder.

    if i ping the host in DMZ from another srver in dmz, instead of resolving the name mail90.tree.net into 192.168.4.5, i see the public address… i'can't believe :o

    there's something wrong in my configuration that i cannot find out. ???

    thank you for your help.

    the pc that you are pinging from. make sure that the dns setting is the pfsense ip address and then reboot it



  • Hi sai,

    i already done these checks.  ;) after changing config i rebooted the servers and also pfsense. nothing to do..

    it's the dns forwarder that for me is not working because it fails when i try to do nslookup of mail90 using pfsense as dns server…
    Pfsense tells me from the gui that dns forwarder service is running... ???

    Could it be a missing rule in the dmz interface for dns? i don't think so...

    Thanks sai for your support and sorry for my bad english :P



  • hmmm..
    what os is your pc running and how do you do the dns lookup?



  • Well, in this case i checked typing "nslookup" from a Windows 2003 std ed. server and a Windows 2003 web ed. server with pfsense configured as gateway and primary dns.

    I suppose that a previous additional install and removal of the "Dns Package" made some mess with the current Pfsense install. :(

    So the dns forwarder was not able to run properly…

    I reinstalled everything and remade the configuration: without static routes and of course without installing any additional component, but with the appropriate outbound nat rules.

    Now it's working great, it's secure, and handling thousands of connections easily. ;D :-* :D
    Since wednesday i've placed it in production without any other trouble.

    Now it's time for me to go to a dual pfsense cluster solution and i think i will achieve this goal very soon. :P

    I can now say that PFSENSE is a real good alternative to brand solutions and with the proper time (about 12 hours for me) needed to learn how to apply for it, i saved something like a couple thousand EURO.

    The only thing that's not working is ftp service on second wan. I hope you'll find how to fix it in the next release… ???

    Would like to say Thanks to sai for his assistance and to all developers that made this good job.

    Greetings from Italy

    Angelo


Locked