Access DMZ to WAN



  • Hi all,

    I would like to have an access in DMZ to the WAN. My interfaces are :

    LAN : 10.0.0.50/8
      - PC : 10.0.0.10 => Access WAN OK
        Gateway : 10.0.0.50
        Dns Server : 10.0.0.50

    DMZ : 10.0.1.50/8
      - PC : 10.0.1.1 => Access WAN down
        Gateway : 10.0.1.50
        Dns Server = 10.0.0.50

    WAN : 192.168.0.5/24

    I have created a rule like the lan rule for the WAN:

    DMZ rules  :

    *  DMZ net  *  *  *  *        (Access to WAN)

    UDP  DMZ net  *  10.0.0.50  53 (DNS)  *      (Access to DNS server in LAN)

    but the access to WAN since DMZ is always down, i have read the docs monowall but it's the same problem.

    Thanks for your help



  • LAN : 10.0.0.50/8
    DMZ : 10.0.1.50/8

    The same subnet on two interfaces wont work.



  • Ok, now the subnet of DMZ is /16 but access to WAN doesn't work…
      -PC :
    Ip adress : 10.0.1.1
    Subnet : 255.255.0.0
    Gateway : 10.0.1.50
    DNS : 10.0.0.50

    Interface DMZ in Pfsense :
    10.0.1.50/16



  • I suggest you start reading on wikipedia how subnetting works.
    10.0.0.0/16 is still the same subnet as 10.0.1.0/16



  • I don't understand because in the monowall documentation http://doc.m0n0.ch/handbook/examples.html#id11622455 Lan ip address is : 192.168.1.1/24 and Dmz ip adress :192.168.2.1/24, the subnet is the same…



  • 192.168.1.1/24 and 192.168.2.1/24 are two different subnets!

    You seem to missinterpretate the "/number"
    192.168.0.0/24 is equal to 192.168.0.0 to 192.168.0.255
    192.168.1.0/24 is equal to 192.168.1.0 to 192.168.1.255

    10.0.0.0/8 is equal to 10.0.0.0 to 10.255.255.255
    10.0.0.0/16 is equal to 10.0.0.0 to 10.0.255.255

    The number in CIDR notation behind the / is how many bits are for the "network" identification.
    The rest of the bits (32 - number behind /) are the bits for the addressing within the subnet.

    So really read a bit on your own how the basics work.
    http://en.wikipedia.org/wiki/Subnetwork
    http://en.wikipedia.org/wiki/CIDR



  • Ok, so now my Dmz ip address is : 10.1.0.50/16 (network : 10.1.0.0)
                        Lan ip address is : 10.0.0.50/8  (network : 10.0.0.0)

    I don't have an access to WAN…



  • I take the dns adress of my freebox and the wan is now ok since my dmz…

    Thank you GruensFroeschli



  • Your addresses are still conflicting

    10.0.0.50/8
    is 10.0.0.0 up to 10.255.255.255

    which contains

    10.1.0.50/16
    which is 10.1.0.0 to 10.1.255.255

    Just set your first subnet to /16 too and it should work.
    –>
    10.0.0.0/16
    10.1.0.0/16



  • Ok ty for the tip, i have a new problem ^^, in my dmz i have a apache server on port 80 but is it inacessible from the wan.
    10.1.0.1 is the server ip address.

    In Firewall: NAT: 1:1 i have the rule :

    Interface External IP Internal IP Description 
    WAN  192.168.0.10/32  10.1.0.1/32  www

    And in port forwad :
    If Proto Ext. port range NAT IP Int. port
    WAN    TCP    80  (HTTP)    10.1.0.1      80 (HTTP)
                                            (ext.: 192.168.0.5)

    But when i want to connect to 192.168.0.10 it's down.



  • You dont use 1:1 NAT and normal forwardings.
    One or the other.

    In your forwarding rule you have as ext: 192.168.0.5.
    Are you sure that your WAN interface is 192.168.0.10 and not 192.168.0.5?
    Also if you want to forward port 80 of your WAN, make sure that you change the webgui to something else.



  • If WAN is on a private subnet (like 192.168. is) you have to disable 'block private subnets' as well.
    What's in front of your WAN anyway?



  • this work perfectly thank a lot of !


Locked