Bog standard DMZ setup



  • Hi guys.  I am trying to setup a bog standard DMZ configuration.  My LAN is 192.168.1.1 and I want the DMZ to be 192.168.2.1.  I am running VPN as well.  I have pfsense and ubuntu running on a Xencenter VM.  I want Ubuntu to be the DMZ.  I will attach some screen shots of what I have so far.  From Ubuntu I can ping 192.168.1.1, 192.168.2.1 and 192.168.2.2 but I cannot get to the internet.  I appreciate your help.  I know there are many DMZ posts, but there are so many that I was having trouble figuring out what would be applicable to me.  I am having trouble uploading pictures, which I realize is essential to me getting help.
    ![pfsense nat table.png](/public/imported_attachments/1/pfsense nat table.png)
    ![pfsense nat table.png_thumb](/public/imported_attachments/1/pfsense nat table.png_thumb)
    ![wan rules.png](/public/imported_attachments/1/wan rules.png)
    ![wan rules.png_thumb](/public/imported_attachments/1/wan rules.png_thumb)
    ![pfsense lan rules.png](/public/imported_attachments/1/pfsense lan rules.png)
    ![pfsense lan rules.png_thumb](/public/imported_attachments/1/pfsense lan rules.png_thumb)
    ![pfsense dmz rules.png](/public/imported_attachments/1/pfsense dmz rules.png)
    ![pfsense dmz rules.png_thumb](/public/imported_attachments/1/pfsense dmz rules.png_thumb)



  • I'm assuming your Ubuntu machine is on an OPTx interface which would suggest you need to have an allow rule setup on OPTx interfaces.

    The Lan interface by default will allow all out onto the net.

    From Ubuntu I can ping 192.168.1.1, 192.168.2.1 and 192.168.2.2 but I cannot get to the internet.

    In a more truer sense of a DMZ I would have a rule which blocks your Ubuntu machine and anything else on the OPTx network from contacting your lan network.

    https://en.wikipedia.org/wiki/DMZ_(computing)#Single_firewall



  • I have added a screen shot of the interface rules.  For some reason I had a terrible time uploading this morning.



  • Are you logging your rules, and seeing whats being blocked and allowed in the fw logs?

    The blocked packets should show up in the fw log, but from memory as on different machine in different location to pfsense machines ATM there is also an option in the one of the general/main system settings/config gui pages to log everything which might need ticking as well.



  • What IP space is your OpenVPN using?  In your pfSense LAN & OPT1 details, do you have a gateway defined for either? (hint: you should have a gateway defined for pfSense LAN or OPT1).  What are the interface details for your Ubuntu box's LAN interface?



  • @KOM:

    (hint: you should have a gateway defined for pfSense LAN or OPT1).

    He means SHOULDN'T. I'm sure it's a fatfinger.

    You don't need those rules on the WAN. What you do need are rules on the DMZ, similar to the LAN rules to allow traffic out.



  • He means SHOULDN'T. I'm sure it's a fatfinger.

    JFC, I read that 3 times to make sure I didn't have it reversed…

    What you do need are rules on the DMZ, similar to the LAN rules to allow traffic out.

    I think his goal is to restrict exactly what the DMZ can access externally.  I forget if you also had to allow access to the pfSense DMZ/This Firewall interface or not and I'm not in a position to try it now.



  • Thanks for the reply folks.  Sorry for my delayed response as I have family in town.  @KOM I do not have a gateway defined for either the LAN or the DMZ.  I am not sure what you mean by IP space for the OpenVPN.  I configured OpenVPN exactly as described in the link below.
    https://forum.pfsense.org/index.php?topic=76015.0
    @firewalluser
    The network configuration for the Ubuntu machine is attached.  I had not looked at the firewall log, but my word is it active.  I have attached a copy of the page and I am sure I have something wrong based on this.

    ![ubuntu network connections.png](/public/imported_attachments/1/ubuntu network connections.png)
    ![ubuntu network connections.png_thumb](/public/imported_attachments/1/ubuntu network connections.png_thumb)
    ![firewall log.png](/public/imported_attachments/1/firewall log.png)
    ![firewall log.png_thumb](/public/imported_attachments/1/firewall log.png_thumb)



  • Do you want to expose your DNS queries to an external source, namely 10.200.0.1, plus the DNS server may not know anything about your internal network setup?

    Another way of looking at it, if something happened to your Ubuntu machine, logging its DNS queries could show up potential hacks to the machine.

    When you say in your first post "I want Ubuntu to be the DMZ", what exactly do you mean?

    If you want to expose some services to the net, as it will have a different IP address to the pfsense DMZ interface namely (192.168.2.1), would a port forward to the ubuntu machine namely 192.168.2.2 be more appropriate?



  • @firewalluser asks what exactly do I mean by "I want Ubuntu to be the DMZ".  Perhaps this is a good question to answer since perhaps I am going about things all wrong.  I would like to establish an ownCloud files sharing system on the Ubuntu machine so all my family to share pictures amongst each other.  Hence, with all my reading, I determined that the way to do this was to have the Ubuntu server on its own subnet being accessible from the internet.



  • It doesn't really have to be that way but it is more secure.  You could have it on the existing subnet and just port-forward 80 and 443.  I just went through this myself with my own domain and SSL cert.  I now have an HTTPS owncloud running on a VPS.  But I digress…

    Have you tried nuking all your existing OPT1 rules and replacing them with an Allow All just to see what's going on?  Then you could add a rule that prevents access from OPT1 to LAN.  Get it working loosely and then tighten it up.


  • Netgate

    And make your DNS pass rule TCP/UDP.  DNS can use both.



  • @KOM and @Derelict, great suggestions.  I am working on that now with no luck.  I can get the Ubuntu VM to work from LAN but it seems never from DMZ.  I will keep working on it and hopefully have some more results tomorrow.



  • Might also be worth bearing in mind PF behaviour in freebsd has changed from earlier versions so its worth nuking the states after making changes to the rules, ie you work with the allow anything first principle, and as you add new rules to tighten things up, make sure existing states from old rules dont still exist.



  • I can get the Ubuntu VM to work from LAN but it seems never from DMZ.

    Please post a screencap of your current DMZ rules.  This shouldn't be hard.  An Allow LAN to Any rule just like the one you have on LAN should do it.



  • Thanks for all the suggestions.  I agree that it shouldn't be that hard.  For some reason it was turning into a real ordeal.  I have finally, tonight, had some success.  I can now access the internet from the Ubuntu VM.  I am able to access 192.168.1.1 but cannot access the rest of the 192.168.1.x network, which I suppose is the intent.  For some reason it wouldn't work unless I specified the Gateway to be the WAN.  I have 2 gateway's as one is the VPN.  The LAN is setup to have a default gateway and I think I have rule that forces everything out the VPN unless another rule is in place.  I am not sure why this didn't also apply to the 192.168.2.x network.  So, I tried to force it out on the VPN and the internet does not work then on the Ububtu VM.

    So pardon the new question that I know will give me away as a total NOOB, but…  If I want to set up ownCloud on the Ubuntu server, would it completely defeat the purpose of everything I have gone through to map a FreeNAS drive to the Ubuntu VPN to be used as cloud storage?  Or is simply mapping a folder to be used for the cloud still maintaining a sound firewall setup.  Thanks.

    ![firewall rule dmz.png](/public/imported_attachments/1/firewall rule dmz.png)
    ![firewall rule dmz.png_thumb](/public/imported_attachments/1/firewall rule dmz.png_thumb)



  • I did a little more tinkering and I thought the 2 screenshots below would help to shed some light on what is going on.  The outbound rules for 192.168.2.0 are required or the internet on the VM will not work.  I don't know if the 1:1 rules is required.  I suppose that is why I can access 192.168.1.1 from 192.168.2.1.

    ![firewall nat outbound.png](/public/imported_attachments/1/firewall nat outbound.png)
    ![firewall nat outbound.png_thumb](/public/imported_attachments/1/firewall nat outbound.png_thumb)
    ![firewall nat.png](/public/imported_attachments/1/firewall nat.png)
    ![firewall nat.png_thumb](/public/imported_attachments/1/firewall nat.png_thumb)



  • @theaddies:

    I am able to access 192.168.1.1 but cannot access the rest of the 192.168.1.x network, which I suppose is the intent.

    Usually unless you have changed it, 192.168.1.1 is going to be the lan gui address, if this is the case, do you really want to access the fw from your DMZ? This also ties in with your 1:1 port mapping screenshot.

    On your dashboard what IP's are showing for your Interfaces? Obscure the WAN ip address.



  • LAN up
    manual
    192.168.1.1
    DMZ up
    manual
    192.168.2.1
    PIAVPN up

    I have deleted the 1:1 interface for 192.168.1.1 to 192.168.2.1 but I can still access 192.168.1.1 from the 192.168.2.x subnet.  Why would that be?