DMZ completely non-functional
-
I cannot do anything with my DMZ right now. I cannot ping a server in the DMZ from the LAN and the server cannot ping anything on the LAN. I haven't even gotten to WAN setup yet.
I have a 4 port NIC + a 1 port NIC
DC0: LAN
DC1: LAN_Guest
DC2: WAN
DC3: WAN_DSL
XL0: DMZI would think these two rules would do it, but I am wrong. Both are at the top of each interface's firewall rules.
LAN Interface:
Proto Source Port Destination Port Gateway Schedule Description
* LAN net * DMZ net * * LAN -> DMZ AnyDMZ Interface:
Proto Source Port Destination Port Gateway Schedule Description
* 192.168.1.2 * * * * Server -> AnyDMZ Interface IP: 192.168.1.1
I also cannot even ping the firewall's DMZ interface from the server in the DMZ. However, I can ping the firewall's DMZ interface from my LAN subnet. There is nothing in the log saying it is blocking DMZ traffic.
-
What subnet are you using on lan? Is it still the factory default 192.168.1.0/24? if yes this is a conflict unless you have setup your dmz as bridge. Please provide some more info.
-
The LAN interface is 10.b.c.d.
I don't understand why the LAN can ping the firewall's DMZ interface, but not a server in the DMZ.
I have nothing in NAT about my DMZ just yet as I haven't started working on the WAN portions.
The last firewall rule on the LAN interface is * LAN net * * * WAN_DSL Gateway * to send out all default traffic on the LAN out the DSL.
The last firewall on rule on the DMZ is TCP DMZ net * ! LAN net * *
In the states log I am seeing this:
icmp MyLaptopIP:512 -> WAN_IP:59692 -> DMZ_Server 0:0So it is going out the WAN before going to the DMZ for some reason???
-
If you have no multiwan don't use the gateway setting in your firewall rules. Leave it at deafult or things like you mentioned will happen.
-
I have two WANs.
- WAN
- WAN_DSL
-
Can you post a screenshot of your LAN and DMZ firewallrules please? Something must be wrong. Either protocol, ordering, … don't know. Will have to look at it.
-
Please see attached.
![Firewall Rules.png_thumb](/public/imported_attachments/1/Firewall Rules.png_thumb)
![Firewall Rules.png](/public/imported_attachments/1/Firewall Rules.png) -
That should work, though you have some unneccessary rules there (for example the rule dmz nat to lan net on the lan tab, same for the dmz net). Are you sure all your clients have the correct gateways assigned?
-
Alright, we got it figured out…sorta.
Our WAN ISP (Charter) uses 172.18.X.X to route their traffic. Our DMZ was set to 172.16.X.X so for some reason, all the LANtoDMZ traffic was sent out the WAN.
Our WAN_DSL ISP uses regular public IPs and we have no problem with them.
So, we changed our DMZ subnet to 192.168.X.X and now everything works.
Unbelievable.
Why doesn't the firewall know not to send it out the WAN? We have no rules anywhere that list 172.16.X.X
-
I suspect the netmask on your WAN is /16 since this is the default subnetmask for 172.x.x.x subnets.
But without looking at your interfaces status page i cannot say for sure ;) -
We double-checked that about 800 times. So… 1600 times in total.
-
I think it was just an old state from before you started to configure everything. When changing firewallrules it sometimes is needed to reset states at diagnostics>states, reset states. For example if your last firewallrule (send lan traffic to optwan gateway) was present before you set up the upper rule and there already have been states initiated through that last rule only new states will match the new rule. The old states need to be closed first or time out.