Need Help Setting Up DMZ - Close to giving up on pfSense



  • I have the LAN setup with no problems.  However I can't get anything working with my DMZ.  Is there a guide available that goes into detail how to do this?  I have a block of 64 addresses and I am needing to route some of these to my DMZ.  The only things I have found have not been much help at all.



  • Well you need to give a "bit" more information about what you are trying to achive…
    Read as much information as you have.

    What did you already try. What didnt work. what's your goal. etc.



  • Aye, I'm sure there are many willing and able to help you - but more input is required please.



  • Okay, I am new to all of this so I don't know alot of the details but here is a start.

    I first set up my LAN and put in all of the rules I would need, HTTP, HTTPS, FTP, etc.  This works.  Then I moved on to set up the DMZ and this is where my trouble began.  I assumed, most likely incorrectly, that if I do the same types of rules for the DMZ I would have the same type of connectivity, but I don't.  I have even tried DMZ to Any rules and I can get no internet access.  I understand the NAT 1:1 routing but do I even have to use it at this point?  I was just trying to get internet access on the DMZ as a starting point.

    My end goal is this:
    I want to have a DMZ setup for our web server and our email server.
    LAN setup for my local users.

    What info do you need in order to figure out where I am at?  Just let me know.  I have been working on this for 3 days and it is getting frustrating.



  • Did you had a look at this guide http://doc.m0n0.ch/handbook-single/#id2604955



  • Yes I looked through the section on DMZ and tried everything it lined out and I didn't get anywhere.  I am getting some notes pulled on my current config right now and will post them shortly, maybe then I can get this figured out.



  • Okay, I started from a clean slate.  Setup my WAN, LAN, and DMZ (OPT1) interfaces.  I have the WAN my external IP and /26 subnet.  I setup the rules for HTTP, HTTPS, FTP, SMTP, POP3 and IMAP for my LAN.  I have DHCP enabled on my LAN and temporarily enabled on my DMZ (for testing purposes).  I would like to in the end once I can get in and out of my DMZ use static IPs and 1:1 NAT.

    Based upon this basic setup I would assume that I could add similar rules as I did for my LAN, HTTP & HTTPS and be able to browse the web.  At this point I can't. How is the DMZ handled differently and what do I need to do?

    I turned on the logging on the rules I set for the DMZ and I am getting nothing showing up in the logs.



  • Are in your DMZ public IP's?
    Could you maybe show screenshots of how your rules look like?



  • right now i am not using public ips in my dmz.  the machine inside the dmz has a 192.168.2.* address assigned by dhcp.  i am just trying to get out.  Then I am going to get to the 1:1 and the public ip setup.



  • I somehow think you messed up the rules if you can get to the internet from the LAN but not from the DMZ.
    Could you show screenshots?



  • @XclntONE:

    Okay, I started from a clean slate.  Setup my WAN, LAN, and DMZ (OPT1) interfaces.  I have the WAN my external IP and /26 subnet.  I setup the rules for HTTP, HTTPS, FTP, SMTP, POP3 and IMAP for my LAN.  I have DHCP enabled on my LAN and temporarily enabled on my DMZ (for testing purposes).  I would like to in the end once I can get in and out of my DMZ use static IPs and 1:1 NAT.

    Based upon this basic setup I would assume that I could add similar rules as I did for my LAN, HTTP & HTTPS and be able to browse the web.  At this point I can't. How is the DMZ handled differently and what do I need to do?

    I turned on the logging on the rules I set for the DMZ and I am getting nothing showing up in the logs.

    Hmmmm… "rules for HTTP, HTTPS, FTP, SMTP, POP3 and IMAP for my LAN"...

    Have you defined rules with the WAN as the source and the DMZ as the destination for the same services?

    I assume you've made the rules you describe above with the LAN as the source and the DMZ as the destination?

    Personally, I would permit all IP from LAN to DMZ for starters.

    Kind of in this order is how I think I would proceed:

    1.  Create Aliases for my DMZ hosts.

    2.  Create Virtual IPs for the public IPs out of my /26 that I'm going to use for 1:1 NAT to DMZ hosts
    You do not really need to NAT LAN:DMZ IPs.

    3.  Setup specific firewall rules for WAN access to my DMZ hosts.
    Very few and very small holes, just enough for what services we need to expose to the public.

    4.  Setup a firewall rule that allows all IP from LAN to DMZ.  the LAN is fully trusted, the DMZ is semi-trusted, and the WAN is not trusted.
    So, packets that are sourced in the fully trusted network should be allowed to go wherever they want pretty much, right?

    5.  Setup specific firewall rules that allow DMZ hosts access to LAN stuff.
    Very few and very small holes, just enough for the DMZ hosts to function and communicate with what they need on the LAN.

    Basically, I like to lay things out and think of them as how much I trust each of the three networks.

    WAN:  not trusted
    DMZ: semi-trusted
    LAN: fully trusted

    Then, think about the direction of traffic flow:  from a more trusted network to a less trusted network we don't need to worry about so much; but from a less trusted network to a more trusted network, we need to firewall the crap out of that.

    Hope this helps!



  • Oh, and numbering!

    WAN:  use your public IPs out of your /26  (I'm jealous, that's a nice sized chunk your ISP gave you!)  ;)

    DMZ:  use your private static IPs for your DMZ hosts, no dhcp.

    LAN: use a private subnet, different than your DMZ subnet.

    here is how I would number it:

    LAN:  10.10.x.x/16 - dhcp pool for workstations 10.10.1.x/16  everything else statically assigned with the 3rd octet a number specific to the type of device.  240 for servers, 254 for routers/gateways, 252 for switches, 253 for WAPs, etc.

    DMZ:  10.9.x.x/16  - no dhcp, same scheme as above, all statically assigned

    WAN: whatever out of my /26 of publics



  • Okay, I created an alias for my test host that is in my dmz.  I assigned the Virtual IP and I did a 1:1 mapping for that host.  On the firewall rules I have rules on the WAN interface that are set to TCP Any Source Any Source Port -> Destination www1 (alias for host) TCP 80 and I am still getting nothing.  I can't access it from the outside and from inside my DMZ I cannot browse the web even though I have the rules on the DMZ interface set to Source=DMZ Subnet * * Destination Port TCP 80.  Where am I going wrong?



  • LAN Rules

    WAN Rules

    DMZ Rules

    Here are my current rules.  What needs to be changed and what is correct?



  • Change the LAN rules to have just one rule that allows anything to anywhere. Do the same for DMZ. You are not listing your NAT mappings, do you have a port forward for port 80 from the WAN address to the www server on your dmz? Once you get it working using the simplest method you can start adding things like 1:1 NAT and more restrictive firewall rules between DMZ and LAN.



  • My LAN is working fine.  The rules work on my LAN just as they are put in.  My DMZ however is where all of the trouble is.  No matter what rules I put in I get no results.



  • Okay, I just tried on my DMZ interface allowing the DMZ subnet to Any Dest and Any Port and I am getting nothing.  I can't browse the web from inside the DMZ.  I can access pfSense from inside the DMZ so I am sure its a config setting and not hardware.



  • From your one screen shot, i see 80 and 443
    How about DNS? (53)

    Can you ping something like 4.2.2.2 from your DMZ box?

    Sorry, you probably can not ping either…
    Try getting an ip of a web server then telnet to the IP on 80 to see if you get a response. (like yahoo's ip)
    go to the command line
    ex: telnet 1.1.1.1 80
    (make sure you put a working ip in there) :) test this from inside your LAN to see the results first
    If 80 is getting out, you should get a blank screen in windows



  • I have it figured out now.

    I set my DMZ to bridge with the WAN and then made sure that bridge filtering was enabled.

    Then I set the rules for WAN -> DMZ and DMZ -> WAN accordingly and now everything is working 100%.

    Next tough thing is going to be migrating the web data to the new servers on the new ips.  But I guess that would be right for another forum?.? Anyone here have any experience with migrating shopping carts from one server to another during a DNS migration?


Locked