DMZ completely non-functional



  • I cannot do anything with my DMZ right now. I cannot ping a server in the DMZ from the LAN and the server cannot ping anything on the LAN. I haven't even gotten to WAN setup yet.

    I have a 4 port NIC + a 1 port NIC
    DC0: LAN
    DC1: LAN_Guest
    DC2: WAN
    DC3: WAN_DSL
    XL0: DMZ

    I would think these two rules would do it, but I am wrong. Both are at the top of each interface's firewall rules.
    LAN Interface:
    Proto  Source  Port  Destination  Port  Gateway  Schedule    Description
    *          LAN net  *  DMZ net          *  *                        LAN -> DMZ Any

    DMZ Interface:
    Proto  Source  Port  Destination  Port  Gateway  Schedule    Description
    *        192.168.1.2 *  *                  *  *                        Server -> Any

    DMZ Interface IP: 192.168.1.1

    I also cannot even ping the firewall's DMZ interface from the server in the DMZ. However, I can ping the firewall's DMZ interface from my LAN subnet. There is nothing in the log saying it is blocking DMZ traffic.



  • What subnet are you using on lan? Is it still the factory default 192.168.1.0/24? if yes this is a conflict  unless you have setup your dmz as bridge. Please provide some more info.



  • The LAN interface is 10.b.c.d.

    I don't understand why the LAN can ping the firewall's DMZ interface, but not a server in the DMZ.

    I have nothing in NAT about my DMZ just yet as I haven't started working on the WAN portions.

    The last firewall rule on the LAN interface is * LAN net * * * WAN_DSL Gateway * to send out all default traffic on the LAN out the DSL.

    The last firewall on rule on the DMZ is TCP DMZ net * ! LAN net * *

    In the states log I am seeing this:
    icmp  MyLaptopIP:512 -> WAN_IP:59692 -> DMZ_Server 0:0

    So it is going out the WAN before going to the DMZ for some reason???



  • If you have no multiwan don't use the gateway setting in your firewall rules. Leave it at deafult or things like you mentioned will happen.



  • I have two WANs.

    1. WAN
    2. WAN_DSL


  • Can you post a screenshot of your LAN and DMZ firewallrules please? Something must be wrong. Either protocol, ordering, … don't know. Will have to look at it.



  • Please see attached.

    ![Firewall Rules.png_thumb](/public/imported_attachments/1/Firewall Rules.png_thumb)
    ![Firewall Rules.png](/public/imported_attachments/1/Firewall Rules.png)



  • That should work, though you have some unneccessary rules there (for example the rule dmz nat to lan net on the lan tab, same for the dmz net). Are you sure all your clients have the correct gateways assigned?



  • Alright, we got it figured out…sorta.

    Our WAN ISP (Charter) uses 172.18.X.X to route their traffic. Our DMZ was set to 172.16.X.X so for some reason, all the LANtoDMZ traffic was sent out the WAN.

    Our WAN_DSL ISP uses regular public IPs and we have no problem with them.

    So, we changed our DMZ subnet to 192.168.X.X and now everything works.

    Unbelievable.

    Why doesn't the firewall know not to send it out the WAN? We have no rules anywhere that list 172.16.X.X



  • I suspect the netmask on your WAN is /16 since this is the default subnetmask for 172.x.x.x subnets.
    But without looking at your interfaces status page i cannot say for sure ;)



  • We double-checked that about 800 times. So… 1600 times in total.



  • I think it was just an old state from before you started to configure everything. When changing firewallrules it sometimes is needed to reset states at diagnostics>states, reset states. For example if your last firewallrule (send lan traffic to optwan gateway) was present before you set up the upper rule and there already have been states initiated through that last rule only new states will match the new rule. The old states need to be closed first or time out.


Log in to reply