DMZ host has not Internet connection

meridio · Oct 14, 2015, 12:43 PM

Hello,
I have a pf sense with 3 interfaces (LAN,DMZ and WAN).
From DMZ hosts I can ping the WanGW address (private IP of ADSL router) but I can't go out.
I have modified a lot of rules of Firewall but without solution.

Anyone can suggest me where modify?

Thanks

KOM · Oct 14, 2015, 2:15 PM

My suggestion is to fix the thing that is wrong. I can't be more specific since you have provided no details at all about your NIC details and firewall rules. Maybe this will help:

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

viragomann · Oct 14, 2015, 9:28 PM

Is the default gateway at the DMZ host set to pfSenses DMZ interface address?

meridio · Oct 15, 2015, 6:44 AM

Thank you KOM and viragomann.

The default GW at DMZ host is the DMZ address interface.

I've solved temporarily using a rule (in DMZ interface) from dmz host to All without restrictions and so work on.

But if I put as a destination WAN address or WAN net doesn't work, this I can't understand why.

I'd like to open only to Active Directory and LDAP services from DMZ to LAN.

How Can I do?

thanks

Derelict · Oct 15, 2015, 7:01 AM

But if I put as a destination WAN address or WAN net doesn't work, this I can't understand why.

Because WAN net is the subnet of your WAN interface, not the internet

Because WAN address is the address of your WAN interface, not the internet.

To forward traffic to the internet, the destination must be any.

For a DMZ you want to create rules that:

Specifically pass the LOCAL assets you want the DMZ to access (DNS, AD DC, Email, etc)
Less-specifically reject the LOCAL traffic you don't want the DMZ to access (such as DMZ to LAN net and DMZ to This firewall (self))
Pass everything else (the internet, aka any)

meridio · Oct 15, 2015, 7:02 AM

Thank you Derelict,

Does exist a way to open such port to certain services on demand?
For example, an internal Domain controller that have to syncronize some datas
with the host in DMZ, daily.

Derelict · Oct 15, 2015, 7:09 AM

You can use schedules on rules, but why not just open the ports? Sounds like you're over-thinking it.

I don't get the "on demand" part. If the firewall just opens the port when it receives a connection, it's an open port.

In general LAN has much greater permission to open connections to DMZ. The point is to restrict the connections DMZ can open into LAN to the minimum necessary.

meridio · Oct 15, 2015, 7:13 AM

Not radically at every request the firewall should open but
at every, setted, specifical request I want.
Obviously it shouldn't be a firewall in the radical case.

Thank you derelict.

Derelict · Oct 15, 2015, 7:20 AM

Huh?

Example: If your DMZ host needs to access an LDAP server in LAN, you pass traffic from DMZ to the LDAP server on tcp/389 and/or tcp/636 + udp on the same if necessary. Nothing more (the following rule blocks all traffic from DMZ to LAN).

meridio · Oct 15, 2015, 7:37 AM

OK