Access DMZ to WAN

jordan49

Hi all,

I would like to have an access in DMZ to the WAN. My interfaces are :

LAN : 10.0.0.50/8
  - PC : 10.0.0.10 => Access WAN OK
    Gateway : 10.0.0.50
    Dns Server : 10.0.0.50

DMZ : 10.0.1.50/8
  - PC : 10.0.1.1 => Access WAN down
    Gateway : 10.0.1.50
    Dns Server = 10.0.0.50

WAN : 192.168.0.5/24

I have created a rule like the lan rule for the WAN:

DMZ rules  :

*  DMZ net  *  *  *  *        (Access to WAN)

UDP  DMZ net  *  10.0.0.50  53 (DNS)  *      (Access to DNS server in LAN)

but the access to WAN since DMZ is always down, i have read the docs monowall but it's the same problem.

Thanks for your help

GruensFroeschli

LAN : 10.0.0.50/8
DMZ : 10.0.1.50/8

The same subnet on two interfaces wont work.

jordan49

Ok, now the subnet of DMZ is /16 but access to WAN doesn't work…
  -PC :
Ip adress : 10.0.1.1
Subnet : 255.255.0.0
Gateway : 10.0.1.50
DNS : 10.0.0.50

Interface DMZ in Pfsense :
10.0.1.50/16

GruensFroeschli

I suggest you start reading on wikipedia how subnetting works.
10.0.0.0/16 is still the same subnet as 10.0.1.0/16

jordan49

I don't understand because in the monowall documentation http://doc.m0n0.ch/handbook/examples.html#id11622455 Lan ip address is : 192.168.1.1/24 and Dmz ip adress :192.168.2.1/24, the subnet is the same…

GruensFroeschli

192.168.1.1/24 and 192.168.2.1/24 are two different subnets!

You seem to missinterpretate the "/number"
192.168.0.0/24 is equal to 192.168.0.0 to 192.168.0.255
192.168.1.0/24 is equal to 192.168.1.0 to 192.168.1.255

10.0.0.0/8 is equal to 10.0.0.0 to 10.255.255.255
10.0.0.0/16 is equal to 10.0.0.0 to 10.0.255.255

The number in CIDR notation behind the / is how many bits are for the "network" identification.
The rest of the bits (32 - number behind /) are the bits for the addressing within the subnet.

So really read a bit on your own how the basics work.
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/CIDR

jordan49

Ok, so now my Dmz ip address is : 10.1.0.50/16 (network : 10.1.0.0)
                    Lan ip address is : 10.0.0.50/8  (network : 10.0.0.0)

I don't have an access to WAN…

jordan49

I take the dns adress of my freebox and the wan is now ok since my dmz…

Thank you GruensFroeschli

GruensFroeschli

Your addresses are still conflicting

10.0.0.50/8
is 10.0.0.0 up to 10.255.255.255

which contains

10.1.0.50/16
which is 10.1.0.0 to 10.1.255.255

Just set your first subnet to /16 too and it should work.
–>
10.0.0.0/16
10.1.0.0/16

jordan49

Ok ty for the tip, i have a new problem ^^, in my dmz i have a apache server on port 80 but is it inacessible from the wan.
10.1.0.1 is the server ip address.

In Firewall: NAT: 1:1 i have the rule :

Interface External IP Internal IP Description 
WAN  192.168.0.10/32  10.1.0.1/32  www

And in port forwad :
If Proto Ext. port range NAT IP Int. port
WAN    TCP    80  (HTTP)    10.1.0.1      80 (HTTP)
                                        (ext.: 192.168.0.5)

But when i want to connect to 192.168.0.10 it's down.

GruensFroeschli

You dont use 1:1 NAT and normal forwardings.
One or the other.

In your forwarding rule you have as ext: 192.168.0.5.
Are you sure that your WAN interface is 192.168.0.10 and not 192.168.0.5?
Also if you want to forward port 80 of your WAN, make sure that you change the webgui to something else.

jahonix

If WAN is on a private subnet (like 192.168. is) you have to disable 'block private subnets' as well.
What's in front of your WAN anyway?

jordan49

this work perfectly thank a lot of !