Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ with static IP's

    Scheduled Pinned Locked Moved Firewalling
    6 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Ainsey11
      last edited by

      Hi There!

      Not sure if this is the right place ,but I'll post it as this looks like the most relevant spot

      I have just put a PFSENSE router on my home network, with 3 NIC's on it.

      NIC 1 is my WAN interface
      NIC 2 is my LAN interface
      NIC 3 is my DMZ interface (or hopefully!)

      My WAN interface gets it's IP from PPPOE
      My LAN interface is set to 10.1.1.1/16 running DHCP from 10.1.2.1 and plugs into a gigabit switch (works fine)

      My ISP has given me two routed blocks of IP addresses, X.X.X.73/29 and X.X.X.96/29 (assume X is the other octets)
      I would like to have some servers connected to the switch on one of these external IP addresses. However I can't for the life of me get it to work!

      I created the DMZ interface and set a static IP of X.X.X.74 (this is the one plugged into the switch), then I added a rule as follows :

      Proto | IPv4 ICMP |
      Source | * |
      Destination | X.X.X.74 |
      Gateway | * |

      it then pings from one of my web servers (on the general internet on a completely different network)

      However now I want to add a server into the DMZ, so I connected it into the switch where the DMZ interface connects to, and went to set a static IP, all seems good so far! however it then asks for the gateway when setting the IP,
      I set it as follows :
      address : X.X.X.75
      netmask 255.255.255.248
      Gateway ?

      Now, what IP would my gateway out to the internet be? I tried using the .74 address of the DMZ nic and my External IP of the wan, and the internal IP of my LAN but no avail. so I figured I need to add a gateway, so I went back to the DMZ interface settings and where it says static IPv4 addr there is a create new gateway option, in here I made the following :

      Gateway Name : DMZGW
      Gateway IPv4 : X.X.X.73
      Decription : DMZGW

      So I thought the .73 address would become my gateway, so I add that into my static IP config and still no joy, I did some googling and found that I need to allow the traffic outbound from the DMZ which does make sense, so I added this rule onto the DMZ rules list : http://i.imgur.com/5viecjT.png

      Still no joy, if I set an any to any rule from the wan to the .73 address I also get nothing.

      any ideas? it's really annoying me, I had this setup on a VM platform working perfectly but I've forgotten how to set it up :/

      Thanks!

      Robert (Ainsey11)

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by 

        Gateway Name : DMZGW
Gateway IPv4 : X.X.X.73
Decription : DMZGW

        I think you just need to get rid of that gateway. The DMZ is much like any LAN in pfSense. DMZ interface IP (.74) is the gateway for devices in the DMZ, so use that on the server.
        The firewall rule you added last is the thing that would have made it work - without the DMZGW thing that unfortunately was done before you added the firewall rule.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • A
          Ainsey11
          last edited by

          Hi Phil,

          Thanks for the reply,

          I've just removed the extra gateway I had, and set the gateway on the server to the .74 address and still no joy :(

          1 Reply Last reply Reply Quote 0
          • A
            Ainsey11
            last edited by

            also, I forgot to add,

            I can ping the DMZ nic (.74) from my LAN,

            not sure if thats good or not

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              With that setup you should be able to ping out from your server to the public internet.
              LAN will be able to ping DMZ because there is probably still a pass all rule on LAN. If you want to restrict that, then you have to put a block rule above the pass all, or change the "pass all" rule to "pass all but not to destination DMZnet".
              To ping from the public internet to the DMZ server you need to widen the pass rule on WAN so it allows to destination X.X.X.72/29 (= 72-79).

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • A
                Ainsey11
                last edited by

                Hi Phil,

                Surprisingly, it still wouldn't work!

                I then thought it could be the switch, and voila! for some reason the individual network ports were isolated from each other, as soon as I swapped it out it was fine! now all the firewall rules are in place and working fine :)

                Thanks for your help!!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.