Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access DMZ to WAN

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 3 Posters 5.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jordan49
      last edited by

      Hi all,

      I would like to have an access in DMZ to the WAN. My interfaces are :

      LAN : 10.0.0.50/8
        - PC : 10.0.0.10 => Access WAN OK
          Gateway : 10.0.0.50
          Dns Server : 10.0.0.50

      DMZ : 10.0.1.50/8
        - PC : 10.0.1.1 => Access WAN down
          Gateway : 10.0.1.50
          Dns Server = 10.0.0.50

      WAN : 192.168.0.5/24

      I have created a rule like the lan rule for the WAN:

      DMZ rules  :

      *  DMZ net  *  *  *  *        (Access to WAN)

      UDP  DMZ net  *  10.0.0.50  53 (DNS)  *      (Access to DNS server in LAN)

      but the access to WAN since DMZ is always down, i have read the docs monowall but it's the same problem.

      Thanks for your help

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        LAN : 10.0.0.50/8
        DMZ : 10.0.1.50/8

        The same subnet on two interfaces wont work.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • J
          jordan49
          last edited by

          Ok, now the subnet of DMZ is /16 but access to WAN doesn't work…
            -PC :
          Ip adress : 10.0.1.1
          Subnet : 255.255.0.0
          Gateway : 10.0.1.50
          DNS : 10.0.0.50

          Interface DMZ in Pfsense :
          10.0.1.50/16

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            I suggest you start reading on wikipedia how subnetting works.
            10.0.0.0/16 is still the same subnet as 10.0.1.0/16

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • J
              jordan49
              last edited by

              I don't understand because in the monowall documentation http://doc.m0n0.ch/handbook/examples.html#id11622455 Lan ip address is : 192.168.1.1/24 and Dmz ip adress :192.168.2.1/24, the subnet is the same…

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                192.168.1.1/24 and 192.168.2.1/24 are two different subnets!

                You seem to missinterpretate the "/number"
                192.168.0.0/24 is equal to 192.168.0.0 to 192.168.0.255
                192.168.1.0/24 is equal to 192.168.1.0 to 192.168.1.255

                10.0.0.0/8 is equal to 10.0.0.0 to 10.255.255.255
                10.0.0.0/16 is equal to 10.0.0.0 to 10.0.255.255

                The number in CIDR notation behind the / is how many bits are for the "network" identification.
                The rest of the bits (32 - number behind /) are the bits for the addressing within the subnet.

                So really read a bit on your own how the basics work.
                http://en.wikipedia.org/wiki/Subnetwork
                http://en.wikipedia.org/wiki/CIDR

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • J
                  jordan49
                  last edited by

                  Ok, so now my Dmz ip address is : 10.1.0.50/16 (network : 10.1.0.0)
                                      Lan ip address is : 10.0.0.50/8  (network : 10.0.0.0)

                  I don't have an access to WAN…

                  1 Reply Last reply Reply Quote 0
                  • J
                    jordan49
                    last edited by

                    I take the dns adress of my freebox and the wan is now ok since my dmz…

                    Thank you GruensFroeschli

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      Your addresses are still conflicting

                      10.0.0.50/8
                      is 10.0.0.0 up to 10.255.255.255

                      which contains

                      10.1.0.50/16
                      which is 10.1.0.0 to 10.1.255.255

                      Just set your first subnet to /16 too and it should work.
                      –>
                      10.0.0.0/16
                      10.1.0.0/16

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • J
                        jordan49
                        last edited by

                        Ok ty for the tip, i have a new problem ^^, in my dmz i have a apache server on port 80 but is it inacessible from the wan.
                        10.1.0.1 is the server ip address.

                        In Firewall: NAT: 1:1 i have the rule :

                        Interface External IP Internal IP Description 
                        WAN  192.168.0.10/32  10.1.0.1/32  www

                        And in port forwad :
                        If Proto Ext. port range NAT IP Int. port
                        WAN    TCP    80  (HTTP)    10.1.0.1      80 (HTTP)
                                                                (ext.: 192.168.0.5)

                        But when i want to connect to 192.168.0.10 it's down.

                        1 Reply Last reply Reply Quote 0
                        • GruensFroeschliG
                          GruensFroeschli
                          last edited by

                          You dont use 1:1 NAT and normal forwardings.
                          One or the other.

                          In your forwarding rule you have as ext: 192.168.0.5.
                          Are you sure that your WAN interface is 192.168.0.10 and not 192.168.0.5?
                          Also if you want to forward port 80 of your WAN, make sure that you change the webgui to something else.

                          We do what we must, because we can.

                          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                          1 Reply Last reply Reply Quote 0
                          • jahonixJ
                            jahonix
                            last edited by

                            If WAN is on a private subnet (like 192.168. is) you have to disable 'block private subnets' as well.
                            What's in front of your WAN anyway?

                            1 Reply Last reply Reply Quote 0
                            • J
                              jordan49
                              last edited by

                              this work perfectly thank a lot of !

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.