DMZ to LAN - LAN to DMZ Not working right.



  • Hi all,

    Having a slight problem and I'm sure it's something I'm overlooking.  This is all in a VMware environment.

    LAN = 10.10.10.X
    DMZ= 192.168.3.X

    I have the DMZ interface set to 192.168.3.1 (No gateway) LAN interface set to 10.10.10.105 (no gateway) -  I can ping 192.168.3.1 from my machine which is on the LAN network.  I can also ping from the pfSense box to my local LAN.

    Here is the problem:

    I have a windows 2008 Server that is going to be doing ADFS Proxy functions for our 365 implementation.  I have it on the DMZ switch and gave it an IP of 192.168.3.2  - I cannot ping 3.1 from this machine.  What gateway should be set on this??  I tried with no gateway or with a gateway of 192.168.3.1 - no change.  From the LAN side of things I cannot ping this machine or RDP into it.

    My firewall rules are set with:

    LAN
    LAN net  - port * - DMZ net -  port * - Gateway *

    DMZ
    DMZ net  - port * - LAN net -  port * - Gateway *

    My virtual switches are all set to Promiscuous Mode: Accept

    Not sure what I'm missing or overlooking.



  • You only need to specify a gateway for WAN.  Your rules look a little different from default.  The default LAN rule, for instance, looks like this:

    ID Proto Source Port Destination Port Gateway Queue Schedule Description
      IPv4* *     *   *          *   *       none             Allow LAN to any rule

    Your rules looks like they should work, but I always get suspicious when something has been modified from the default.  Are you sure your DMZ switch passes ICMP packets?


  • LAYER 8 Netgate

    What protocols are on those rules?  If it's TCP/UDP ICMP (ping) won't pass.



  • Well, I made a little more progress.

    I put the WAN and DMZ into bridge mode.

    Now I can ping the 2008 Server from my local LAN.  That's all that's working right now though.  Can't RDP into it though.  Also nothing is working from DMZ to LAN - Which is more important.  What should the default gateway be on the server sitting in the DMZ??



  • You only need to specify a gateway for WAN.


  • LAYER 8 Netgate

    @OldSkoolMC:

    Well, I made a little more progress.

    I put the WAN and DMZ into bridge mode.

    Now I can ping the 2008 Server from my local LAN.  That's all that's working right now though.  Can't RDP into it though.  Also nothing is working from DMZ to LAN - Which is more important.  What should the default gateway be on the server sitting in the DMZ??

    Impossible to tell now that you bridged the interfaces for some reason.

    The default gateway for machines on a DMZ under normal circumstances is the address of the DMZ router interface. 192.168.3.1.  Pinging the interface on the same subnet doesn't require any routing so the default gateway is meaningless for that test.  If it doesn't work, and you're sure you're passing ICMP traffic in the DMZ interface, then you have something borked at layer 2 - either in your switch or vSwitch.

    All you would need is a pass any any any rule on LAN and a pass any any dest not LAN net on the DMZ. and it would "just work".  What is your goal for the DMZ?  Typically people want to be able to get from the LAN to the DMZ but block most traffic from the DMZ to the LAN.



  • @Derelict:

    @OldSkoolMC:

    Well, I made a little more progress.

    I put the WAN and DMZ into bridge mode.

    Now I can ping the 2008 Server from my local LAN.  That's all that's working right now though.  Can't RDP into it though.  Also nothing is working from DMZ to LAN - Which is more important.  What should the default gateway be on the server sitting in the DMZ??

    Impossible to tell now that you bridged the interfaces for some reason.

    The default gateway for machines on a DMZ under normal circumstances is the address of the DMZ router interface. 192.168.3.1.  Pinging the interface on the same subnet doesn't require any routing so the default gateway is meaningless for that test.  If it doesn't work, and you're sure you're passing ICMP traffic in the DMZ interface, then you have something borked at layer 2 - either in your switch or vSwitch.

    All you would need is a pass any any any rule on LAN and a pass any any dest not LAN net on the DMZ. and it would "just work".  What is your goal for the DMZ?  Typically people want to be able to get from the LAN to the DMZ but block most traffic from the DMZ to the LAN.

    Well, scratch the bridge.  I removed it - it didn't help any. I'm still working on this issue.

    Here is what is going on.  I need to get my proxy server to see the internet - Outgoing.  And Yes, you are correct I want to block everything from the DMZ to the lan except port 443 at some point but for now I am just trying to get traffic to flow properly.

    From my proxy machine I can get to the pfSense web interface using the 192.168 address.  I've opened up the firewall settings on the pfSense on each interface LAN/WAN/DMZ all to any any any.

    *** From the proxy machine I cannot ping 8.8.8.8 I should at this point be wide open to the internet (at least outbound). ****  Not sure what  I'm missing.

    On the web interface of the pfSense I go into Diags - PING >

    1. I can ping my internet router with each source DMZ/LAN/WAN.

    2. When I ping 8.8.8.8 I can hit that from DMZ/LAN/WAN sources.

    3. When I ping my 2008 server(proxy) I get replies from DMZ/LAN but NOTfrom the WAN Source address.

    From a workstation on the LAN - I can ping my 192.168 internet router and can obviously ping my LAN interface (as I am on the web control panel).

    scratching my head on this one.  :-\



  • All figured out guys.

    I had to look at the firewall logs and found the issue.  I have no idea why * wasn't working.  Once I added a firewall rule with the IP address of the proxy it started passing traffic.  It should of been wide open with the DMZ set to all * (in my eyes).

    Thanks for the help anyway guys.


Log in to reply