DMZ setup issues

bigraz1968

I would greatly appreciate any help to get my DMZ back configured correctly.  I had everything working until a lightening strike blew up my firewall an I had to rebuild.

I am running 2.2.4 on my Alix with 3 ports. 1 WAN, 1 LAN and 1 DMZ.  All three interfaces are up an configured.

When I plug into the DMZ subnet, I get a IP from the DHCP server configured for the DMZ, however I don't get any internet.

I believe it is a rule I'm missing but I am totally stumped at this point.  I get internet on my LAN interface

Thanks

Randy

Derelict

To get internet duplicate the automatic rule on LAN on the DMZ interface.

But it being a DMZ probably requires extra rules to implement your DMZ policies.  The bare basic rules would probably be something like:

Action: Pass
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: TCP/UDP
Source: DMZ net
Destination: This Firewall (self)
Destination port range: 53
Log: Unchecked
Description: Pass DNS to pfSense

Action: Reject
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: any
Source: DMZ net
Destination: LAN net
Log: Unchecked
Description: Block DMZ to LAN

Action: Reject
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: any
Source: DMZ net
Destination: This Firewall (self)
Log: Unchecked
Description: Block DMZ to pfSense

Action: Pass
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: any
Source: DMZ net
Destination: any
Log: Unchecked
Description: Pass DMZ to Internet

bigraz1968

Thanks Derelict,

I added those rules exactly as written except the DNS one, I changed to TCP/UDP.  Still no internet on the DMZ interface.

Randy

Derelict

I added those rules exactly as written except the DNS one, I changed to TCP/UDP.  Still no internet on the DMZ interface.

I had TCP/UDP 53 so I'm not sure what you're saying.

How is your outbound NAT configured?

And what do you mean by "no internet?"  What isn't working?  DNS?  What?

You might want to add one like this next to the DNS rule so you can ping the pfSense interfaces from DMZ:

Action: Pass
Disabled: Unchecked
Interface: DMZ
TCP/IP Version: IPv4
Protocol: ICMP
ICMP type: any
Source: DMZ net
Destination: This Firewall (self)
Log: Unchecked
Description: Pass ICMP to pfSense

bigraz1968

My bad.  I mispoke about the DNS rule.  My outbound NAT is empty.  I have DNS configured pointing to Google DNS 8.8.8.8. Internet still doesn't load.

Thanks

Randy

Derelict

"Internet still doesn't load" doesn't tell me anything.

Are you on Automatic Outbound NAT?

Is the DMZ network listed?

Can you ping the pfSense interface (if you added the rule I suggested)?

Can you ping 8.8.8.8?

Can you resolve names?

bigraz1968

"Internet still doesn't load'  I was just saying no pages load ex: Google

Are you on Automatic Outbound NAT? Yes

Is the DMZ network listed?No,  I don't recall seeing it

I didn't try to ping 8.8.8.8 but Iwas unable to ping the DMZ gateway

Can you resolve names? That I didn't try.

I am at work but I will be back to it Tonight.

Thanks

Randy

Derelict

@bigraz1968:

"Internet still doesn't load'  I was just saying no pages load ex: Google

Are you on Automatic Outbound NAT? Yes

Is the DMZ network listed?No,  I don't recall seeing it

It needs to be there.

I didn't try to ping 8.8.8.8 but Iwas unable to ping the DMZ gateway

Did you add that ICMP rule I suggested?

bigraz1968

I added the Outboud NAT but internet still not loading on the DMZ side.  I also added an attachment

Thanks

Derelict

You can't add an outbound NAT in Automatic mode so I have no idea what you're actually doing.

bigraz1968

Me neither.  How do I do it correctly.

Thanks

Derelict

Screenshots:

Status > Interfaces for LAN and DMZ

Firewall > Rules for LAN and DMZ

Firewall > NAT Outbound Tab (Just humor me and do it again.  Thanks.)

bigraz1968

Sure.  No problem.  I changed to Manual and all these NAt appeared.

Derelict

@bigraz1968:

Sure.  No problem.  I changed to Manual and all these NAt appeared.

Ok.  Just leave it alone and stop clicking things.

bigraz1968

ok.  Leaving it alone.  Do you still want the screenprints?

Derelict

Of course.

bigraz1968

Screen prints

bigraz1968

More prints

bigraz1968

Last print

Derelict

Your DMZ rules are all out-of-whack but nothing that should stop it from working out to the internet.

Pick a host on DMZ.  Can it ping 192.168.2.1?

If so, can it ping 8.8.8.8?

What is the IP address, netmask, and default gateway of that host?

bigraz1968

Yes it can ping 192.168.2.1 and 8.8.8.8

IP 192.168.2.11
SM 255.255.255.0
GW 192.168.2.1

Derelict

So what's not working?

bigraz1968

Internet pages don't load.  Almost like it is not reaching DNS.  I get page not found

Derelict

What happens on the DMZ host when you ping www.google.com?

What name servers are you giving out to the hosts on DMZ?

Did you muck around with the DNS Resolver?  is it enabled?

bigraz1968

When I try a ping to www.google.com, I get unknown host.  I am giving 8.8.8.8  Didn't touch DNS Resolver.

bigraz1968

Yes The DNS resolver is enabled

Derelict

Your DNS isn't working.  Fix that and you'll be good.

dig or drill are your friends.

bigraz1968

I understand that but the only DNS configured is 8.8.8.8.  It works from the LAN side

Derelict

Don't know what to tell you.  Your rules on DMZ are wrong, but it just makes it not a DMZ.  It won't break DNS resolution to google.

Not sure why you're not pointing your DMZ clients at pfSense's DNS resolver instead.

dig @192.168.2.1 www.google.com

dig @8.8.8.8 www.google.com

bigraz1968

I got it working.  No I will go in and correct the rules.

Thanks for your help

Randy

KOM

Could you specify what you did to fix it so that it may help others down the road?

bigraz1968

Basically I did everything Derelict suggested and it still didn't work.  It was an DNS issue.  I tried a different computer an it worked.  Same settings .  That was it.