Dual Wan - Static IPs - DNS howto for DMZ help

treenet

Hello everybody,

thank you so much for your help.

I'm sure it's something that i've misconfigured and I will try the suggested configuration during weekend.
Will let you know asap.

Angelo

treenet

@sai:

Proto |  Source  |  Port    |  Destination | Port |  Gateway
tcp    | DMZnet |  all       |   Any          | all    |default
and
TCP   |DMZnet  |25 SMTP |  Any          |all     |  WAN1gateway –for having smtp traffic forced on wan1--

should be

Proto |  Source  |  Port    |  Destination | Port |  Gateway
TCP   |DMZnet  | all |  Any          |25 SMTP     |  WAN1gateway –for having smtp traffic forced on wan1--
tcp    | DMZnet |  all       |   Any          | all    |default

Note the smtp rule should be above the other. The way you had it means that the gateway was default for all packets and the smtp rule would never get used.

Yes, the smtp rule was above the other but it was not correct.

Anyway, i fixed the problem of DMZ servers not being able to access internet.
Outbound NAT was enabled but it didn't work. After upgrading with the last Stable 1.2 release, it has started to work. ???
SMTP is working now thanks to DNS resolution made by enabling Outbound NAT for DMZ net.

The only remaining problems are:
1.FTP is working great but only trough first WAN connection (i've read this limitation will be possibly fixed on future release…is it? ???)

2.Servers in DMZ cannot communicate between them. In particular they cannot relay emails each other (before, the same scenario with ipcop wasn't a problem...)
  For example:
  SMTP emails sent from domains on mailserver1 to outside world (ex. hotmail.com) are delivered correctly
  SMTP emails sent from domains on mailserver1 to domains on mailserver1 or mailserver2 are NOT delivered.

I think it's a problem related to internal DNS resolution.
Dns servers are external, one from each ISP.

Somebody has any suggestions?

"DNS forwarder" disabled, "Disable NAT Reflection" unchecked.

Thank you so much for your help. :)

Angelo

sai

@treenet:

2.Servers in DMZ cannot communicate between them. In particular they cannot relay emails each other (before, the same scenario with ipcop wasn't a problem…)
  For example:
  SMTP emails sent from domains on mailserver1 to outside world (ex. hotmail.com) are delivered correctly
  SMTP emails sent from domains on mailserver1 to domains on mailserver1 or mailserver2 are NOT delivered.

I think it's a problem related to internal DNS resolution.
Dns servers are external, one from each ISP.

Somebody has any suggestions?

"DNS forwarder" disabled, "Disable NAT Reflection" unchecked.

Thank you so much for your help. :)

Angelo

you are correct it is a DNS problem. your DMZ servers are getting the real ip address of each other , but from within the DMZ you cannot access the real ip address, you can only access the private ip address

see http://doc.m0n0.ch/handbook/faq-lannat.html or enable NAT reflection

treenet

Hello Sai,

thanks for your reply.

"Disable NAT reflection" is unchecked, and so is enabled. Otherwise i'm not able to acces internet from the servers in dmz nor let SMTP make dns resolution.

what i'm not understanding (i'm not very confident with routing :P) is how to make things works, considering that before i was running an ipcop box and servers in dmz were able to relay traffic locally with the same configuration and almost the same firewall rules that i use now.

Can the dns forwarder help me? it's all the day that i'm working on it and i'm going mad :'(

All your help and suggestions or possible workarounds to try will be very appreciated. Thank you. :o

sai

I have never used the nat reflection no help…

say your mailserver is mail90.tree.net with real ip address  200.x.c.v and is natted to 192.168.4.5 in your DMZ

from your DMZ. LAN when you ping mail90.tree.net you ping ip address 200.x.c.v

in the web gui -> click on DNS forwarder ; make sure that it is enabled  [Enable DNS forwarder]

where it says "Host  Domain  IP  Description" click on a + icon
enter these settings:
Host : mail90
domain: tree.net
ip address:  192.168.4.5
desc: mailserver mail90

now from your DMZ. LAN  when you ping mail90.tree.net you ping ip address 192.168.4.5
note: in your mailserver your DNS setting should be the pfsense firewall

treenet

hello sai,

i tried with dns forwarder enabled but it's not working  ::)
i also changed the primary dns server in the servers with the address of pfsense.

it seems that pfsense doesn't take care of the dns forwarder.

if i ping the host in DMZ from another srver in dmz, instead of resolving the name mail90.tree.net into 192.168.4.5, i see the public address… i'can't believe :o

there's something wrong in my configuration that i cannot find out. ???

thank you for your help.

sai

@treenet:

hello sai,

i tried with dns forwarder enabled but it's not working  ::)
i also changed the primary dns server in the servers with the address of pfsense.

it seems that pfsense doesn't take care of the dns forwarder.

if i ping the host in DMZ from another srver in dmz, instead of resolving the name mail90.tree.net into 192.168.4.5, i see the public address… i'can't believe :o

there's something wrong in my configuration that i cannot find out. ???

thank you for your help.

the pc that you are pinging from. make sure that the dns setting is the pfsense ip address and then reboot it

treenet

Hi sai,

i already done these checks.  ;) after changing config i rebooted the servers and also pfsense. nothing to do..

it's the dns forwarder that for me is not working because it fails when i try to do nslookup of mail90 using pfsense as dns server…
Pfsense tells me from the gui that dns forwarder service is running... ???

Could it be a missing rule in the dmz interface for dns? i don't think so...

Thanks sai for your support and sorry for my bad english :P

sai

hmmm..
what os is your pc running and how do you do the dns lookup?

treenet

Well, in this case i checked typing "nslookup" from a Windows 2003 std ed. server and a Windows 2003 web ed. server with pfsense configured as gateway and primary dns.

I suppose that a previous additional install and removal of the "Dns Package" made some mess with the current Pfsense install. :(

So the dns forwarder was not able to run properly…

I reinstalled everything and remade the configuration: without static routes and of course without installing any additional component, but with the appropriate outbound nat rules.

Now it's working great, it's secure, and handling thousands of connections easily. ;D :-* :D
Since wednesday i've placed it in production without any other trouble.

Now it's time for me to go to a dual pfsense cluster solution and i think i will achieve this goal very soon. :P

I can now say that PFSENSE is a real good alternative to brand solutions and with the proper time (about 12 hours for me) needed to learn how to apply for it, i saved something like a couple thousand EURO.

The only thing that's not working is ftp service on second wan. I hope you'll find how to fix it in the next release… ???

Would like to say Thanks to sai for his assistance and to all developers that made this good job.

Greetings from Italy

Angelo