• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DMZ host has not Internet connection

Scheduled Pinned Locked Moved Firewalling
10 Posts 4 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    meridio
    last edited by Oct 14, 2015, 12:43 PM

    Hello,
    I have a pf sense with 3 interfaces (LAN,DMZ and WAN).
    From DMZ hosts I can ping the WanGW address (private IP of ADSL router) but I can't go out.
    I have modified a lot of rules of Firewall but without solution.

    Anyone can suggest me where modify?

    Thanks

    1 Reply Last reply Reply Quote 0
    • K
      KOM
      last edited by Oct 14, 2015, 2:15 PM

      My suggestion is to fix the thing that is wrong.  I can't be more specific since you have provided no details at all about your NIC details and firewall rules.  Maybe this will help:

      https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by Oct 14, 2015, 9:28 PM

        Is the default gateway at the DMZ host set to pfSenses DMZ interface address?

        1 Reply Last reply Reply Quote 0
        • M
          meridio
          last edited by Oct 15, 2015, 6:44 AM

          Thank you KOM and viragomann.

          The default GW at DMZ host is the DMZ address interface.

          I've solved temporarily using a rule (in DMZ interface) from dmz host to All without restrictions and so work on.

          But if I put as a destination WAN address or WAN net doesn't work, this I can't understand why.

          I'd like to open only to Active Directory and LDAP services from DMZ to LAN.

          How Can I do?

          thanks

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Oct 15, 2015, 7:01 AM Oct 15, 2015, 6:57 AM

            But if I put as a destination WAN address or WAN net doesn't work, this I can't understand why.

            Because WAN net is the subnet of your WAN interface, not the internet

            Because WAN address is the address of your WAN interface, not the internet.

            To forward traffic to the internet, the destination must be any.

            For a DMZ you want to create rules that:

            Specifically pass the LOCAL assets you want the DMZ to access (DNS, AD DC, Email, etc)
            Less-specifically reject the LOCAL traffic you don't want the DMZ to access (such as DMZ to LAN net and DMZ to This firewall (self))
            Pass everything else (the internet, aka any)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • M
              meridio
              last edited by Oct 15, 2015, 7:02 AM

              Thank you Derelict,

              Does exist a way to open such port to certain services on demand?
              For example, an internal Domain controller that have to syncronize some datas
              with the host in DMZ, daily.

              1 Reply Last reply Reply Quote 0
              • D
                Derelict LAYER 8 Netgate
                last edited by Oct 15, 2015, 7:09 AM

                You can use schedules on rules, but why not just open the ports? Sounds like you're over-thinking it.

                I don't get the "on demand" part.  If the firewall just opens the port when it receives a connection, it's an open port.

                In general LAN has much greater permission to open connections to DMZ. The point is to restrict the connections DMZ can open into LAN to the minimum necessary.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M
                  meridio
                  last edited by Oct 15, 2015, 7:13 AM

                  Not radically at every request the firewall should open but
                  at every, setted, specifical request I want.
                  Obviously it shouldn't be a firewall in the radical case.

                  Thank you derelict.

                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by Oct 15, 2015, 7:20 AM

                    Huh?

                    Example: If your DMZ host needs to access an LDAP server in LAN, you pass traffic from DMZ to the LDAP server on tcp/389 and/or tcp/636 + udp on the same if necessary.  Nothing more (the following rule blocks all traffic from DMZ to LAN).

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • M
                      meridio
                      last edited by Oct 15, 2015, 7:37 AM

                      OK

                      1 Reply Last reply Reply Quote 0
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received