Re: [pfSense Support] DMZ to LAN access

[Peter Todorov]

I try to install 1.2.2 get ,,hptrr: no controller detected". I check in
pfsense forum and I found that I am not alone but I cant find solution to
the problem yet.
Any idea how to bypass this?

On Sun, Jan 11, 2009 at 12:20 AM, Peter Todorov  wrote:

> OK. I did console update from 1.2 to 1.2.2 and system doesn't boot again I
> guess I will try tomorow with fresh install of 1.2.2 and load backup files
> from 1.2.
> PS - - it is very old coputers Pentium I (with a ,,turbo" button)
>
> On Sat, Jan 10, 2009 at 10:20 PM, Peter Todorov  wrote:
>
>> Curtis, I am not so sure that I will understand raw logs, but if you tel
>> me I will pastebin every log. I just do not know where to look.
>> Cris I see that my installation is very outdated. I have version 1.2 and
>> now I will try now to update it via SSH and then I will see.
>>
>> On Fri, Jan 9, 2009 at 6:33 PM, RB  wrote:
>>
>>> On Fri, Jan 9, 2009 at 08:31, Chris Buechler  wrote:
>>> > You rarely want to NAT between internal interfaces.
>>>
>>> Ditto.  The only "internal" NAT I have is when traversing from a
>>> trusted VLAN to an untrusted one (open wireless) to mask the systems.
>>> If your routing (primarily on the clients) is configured properly, the
>>> only thing you should have to do to enable DMZ->LAN is set an 'allow'
>>> rule for the specific traffic.
>>>
>>> -
>>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>>> For additional commands, e-mail: support-h...@pfsense.com
>>>
>>> Commercial support available - https://portal.pfsense.org
>>>
>>>
>>
>>
>> --
>> честността не е порок
>>
>
>
>
> --
> честността не е порок
>



-- 
честността не е порок

Re: [pfSense Support] DMZ to LAN access

[Peter Todorov]

OK. I did console update from 1.2 to 1.2.2 and system doesn't boot again I
guess I will try tomorow with fresh install of 1.2.2 and load backup files
from 1.2.
PS - - it is very old coputers Pentium I (with a ,,turbo" button)

On Sat, Jan 10, 2009 at 10:20 PM, Peter Todorov  wrote:

> Curtis, I am not so sure that I will understand raw logs, but if you tel me
> I will pastebin every log. I just do not know where to look.
> Cris I see that my installation is very outdated. I have version 1.2 and
> now I will try now to update it via SSH and then I will see.
>
> On Fri, Jan 9, 2009 at 6:33 PM, RB  wrote:
>
>> On Fri, Jan 9, 2009 at 08:31, Chris Buechler  wrote:
>> > You rarely want to NAT between internal interfaces.
>>
>> Ditto.  The only "internal" NAT I have is when traversing from a
>> trusted VLAN to an untrusted one (open wireless) to mask the systems.
>> If your routing (primarily on the clients) is configured properly, the
>> only thing you should have to do to enable DMZ->LAN is set an 'allow'
>> rule for the specific traffic.
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
>
>
> --
> честността не е порок
>



-- 
честността не е порок

Re: [pfSense Support] DMZ to LAN access

[Peter Todorov]

Curtis, I am not so sure that I will understand raw logs, but if you tel me
I will pastebin every log. I just do not know where to look.
Cris I see that my installation is very outdated. I have version 1.2 and now
I will try now to update it via SSH and then I will see.

On Fri, Jan 9, 2009 at 6:33 PM, RB  wrote:

> On Fri, Jan 9, 2009 at 08:31, Chris Buechler  wrote:
> > You rarely want to NAT between internal interfaces.
>
> Ditto.  The only "internal" NAT I have is when traversing from a
> trusted VLAN to an untrusted one (open wireless) to mask the systems.
> If your routing (primarily on the clients) is configured properly, the
> only thing you should have to do to enable DMZ->LAN is set an 'allow'
> rule for the specific traffic.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>


-- 
честността не е порок

Re: [pfSense Support] DMZ to LAN access

[RB]

On Fri, Jan 9, 2009 at 08:31, Chris Buechler  wrote:
> You rarely want to NAT between internal interfaces.

Ditto.  The only "internal" NAT I have is when traversing from a
trusted VLAN to an untrusted one (open wireless) to mask the systems.
If your routing (primarily on the clients) is configured properly, the
only thing you should have to do to enable DMZ->LAN is set an 'allow'
rule for the specific traffic.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] DMZ to LAN access

[Chris Buechler]

On Fri, Jan 9, 2009 at 3:15 AM, Peter Todorov  wrote:
> Curtus, I am no so familiar with pfsense architecture to do SSh login and
> manual rewriting conf files. I have NAT yes it is AON because I have dual
> WAN configuration.

That's not necessary. There is very old, outdated documentation
somewhere apparently that tells people to do that since it comes up
repeatedly. Could you point me to where you got that info?  I would
like to remove incorrect information. It'll work, but it's unnecessary
and a step that's frequently not configured properly.


>  I have only NAT between external and internal interfaces.
> I add some rules to bouth interfacese in the top just for test that has * *
> * * * * and * * * * * * . Still I got no ping from DMZ to LAN.
> Chris, Do I need to enable NAT between DMZ and LAN?
>

You rarely want to NAT between internal interfaces.  You shouldn't
need AON at all unless you need static port.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] DMZ to LAN access

[Curtis LaMasters]

No need of manual configuration needed, actually I would not recommend that
at all.  I was referring to using the SSH console to review your raw logs
for quicker diagnosis if it indeed was a firewall rule issue.

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com


On Fri, Jan 9, 2009 at 2:15 AM, Peter Todorov  wrote:

> Curtus, I am no so familiar with pfsense architecture to do SSh login and
> manual rewriting conf files. I have NAT yes it is AON because I have dual
> WAN configuration. I have only NAT between external and internal interfaces.
> I add some rules to bouth interfacese in the top just for test that has * *
> * * * * and * * * * * * . Still I got no ping from DMZ to LAN.
> Chris, Do I need to enable NAT between DMZ and LAN?
> Thank Peter
>
>
> On Thu, Jan 8, 2009 at 11:36 PM, Chris Buechler  wrote:
>
>> 2009/1/8 Curtis LaMasters :
>> > Sounds like a NAT issue.  Manually configure our outbound NAT or tell it
>> not
>> > to NAT.
>>
>> Not necessary. Traffic between internal interfaces isn't NATed unless
>> you enable AON and configure it to do so.
>>
>> The firewall rules on the DMZ interface don't allow pings most likely.
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
>
>
> --
> честността не е порок
>

Re: [pfSense Support] DMZ to LAN access

[Peter Todorov]

I add NAT rule and I got connection 

On Fri, Jan 9, 2009 at 11:41 AM, Peter Todorov  wrote:

> Maybe I need to update to 1.2.1
>
>
> On Fri, Jan 9, 2009 at 11:32 AM, Eugen Leitl  wrote:
>
>> On Fri, Jan 09, 2009 at 11:14:50AM +0200, Peter Todorov wrote:
>> >
>> >Yes the are now in second place (DMZ interface) ICMP DMZnet * * * *
>> >and ICMP LANnet * * * *. There are rules also on second place (LAN
>> >interface) ICMP DMZnet * * * * and ICMP LANnet * * * * .
>> >No ping from DMZ to LAN.
>>
>> Strange, I can ping my setup fine. No dual WAN, though.
>>
>> >
>> >On Fri, Jan 9, 2009 at 10:59 AM, Eugen Leitl <[1]eu...@leitl.org>
>> >wrote:
>> >
>> >On Fri, Jan 09, 2009 at 10:15:26AM +0200, Peter Todorov wrote:
>> >>
>> >>Curtus, I am no so familiar with pfsense architecture to do SSh
>> >login
>> >>and manual rewriting conf files. I have NAT yes it is AON
>> because
>> >I
>> >>have dual WAN configuration. I have only NAT between external
>> and
>> >>internal interfaces. I add some rules to bouth interfacese in
>> the
>> >top
>> >>just for test that has * * * * * * and * * * * * * . Still I got
>> >no
>> >>ping from DMZ to LAN.
>> >>Chris, Do I need to enable NAT between DMZ and LAN?
>> >
>> >  There's a rule allowing ICMP between DMZ and LAN, yes?
>> >  >Thank Peter
>> >  >
>> >  >On Thu, Jan 8, 2009 at 11:36 PM, Chris Buechler
>> >  <[1][2]...@pfsense.org>
>> >  >wrote:
>> >  >
>> >  >  2009/1/8 Curtis LaMasters <[2][3]curtislamast...@gmail.com
>> >:
>> >
>> >>
>> >>> Sounds like a NAT issue.  Manually configure our outbound NAT
>> >or
>> >>tell it not
>> >>> to NAT.
>> >>
>> >>  Not necessary. Traffic between internal interfaces isn't NATed
>> >>  unless
>> >>  you enable AON and configure it to do so.
>> >>  The firewall rules on the DMZ interface don't allow pings most
>> >>  likely.
>> >>
>> >>
>> >-
>> >
>> >  >To unsubscribe, e-mail: [3][4]support-unsubscr...@pfsense.com
>> >  >For additional commands, e-mail:
>> >  [4][5]support-h...@pfsense.com
>> >  >Commercial support available -
>> >  [5][6]https://portal.pfsense.org
>> >  >
>> >  >--
>> >  >�à �à à Ã
>> >  >
>> >  > References
>> >  >
>> >  >1. mailto:[7]...@pfsense.org
>> >  >2. mailto:[8]curtislamast...@gmail.com
>> >  >3. mailto:[9]support-unsubscr...@pfsense.com
>> >  >4. mailto:[10]support-h...@pfsense.com
>> >  >5. [11]https://portal.pfsense.org/
>> >  --
>> >  Eugen* Leitl http://leitl.org";>leitl
>> >  [13]http://leitl.org
>> >  __
>> >  ICBM: 48.07100, 11.36820 [14]http://www.ativel.com
>> >  [15]http://postbiota.org
>> >  8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
>> >
>> >--
>> >�е��но���а не е по�ок
>> >
>> > References
>> >
>> >1. mailto:eu...@leitl.org
>> >2. mailto:c...@pfsense.org
>> >3. mailto:curtislamast...@gmail.com
>> >4. mailto:support-unsubscr...@pfsense.com
>> >5. mailto:support-h...@pfsense.com
>> >6. https://portal.pfsense.org/
>> >7. mailto:c...@pfsense.org
>> >8. mailto:curtislamast...@gmail.com
>> >9. mailto:support-unsubscr...@pfsense.com
>> >   10. mailto:support-h...@pfsense.com
>> >   11. https://portal.pfsense.org/
>> >   12. http://leitl.org/
>> >   13. http://leitl.org/
>> >   14. http://www.ativel.com/
>> >   15. http://postbiota.org/
>> --
>> Eugen* Leitl http://leitl.org";>leitl http://leitl.org
>> __
>> ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
>> 8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
>>
>
>
>
> --
> честността не е порок
>



-- 
честността не е порок

Re: [pfSense Support] DMZ to LAN access

[Peter Todorov]

Curtus, I am no so familiar with pfsense architecture to do SSh login and
manual rewriting conf files. I have NAT yes it is AON because I have dual
WAN configuration. I have only NAT between external and internal interfaces.
I add some rules to bouth interfacese in the top just for test that has * *
* * * * and * * * * * * . Still I got no ping from DMZ to LAN.
Chris, Do I need to enable NAT between DMZ and LAN?
Thank Peter

On Thu, Jan 8, 2009 at 11:36 PM, Chris Buechler  wrote:

> 2009/1/8 Curtis LaMasters :
> > Sounds like a NAT issue.  Manually configure our outbound NAT or tell it
> not
> > to NAT.
>
> Not necessary. Traffic between internal interfaces isn't NATed unless
> you enable AON and configure it to do so.
>
> The firewall rules on the DMZ interface don't allow pings most likely.
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>


-- 
честността не е порок

Re: [pfSense Support] DMZ to LAN access

[Chris Buechler]

2009/1/8 Curtis LaMasters :
> Sounds like a NAT issue.  Manually configure our outbound NAT or tell it not
> to NAT.

Not necessary. Traffic between internal interfaces isn't NATed unless
you enable AON and configure it to do so.

The firewall rules on the DMZ interface don't allow pings most likely.

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] DMZ to LAN access

[Curtis LaMasters]

Sounds like a NAT issue.  Manually configure our outbound NAT or tell it not
to NAT.  Also you should be able to SSH to the box and look over your logs
for denied access if it is a rule issue.

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com


2009/1/8 Peter Todorov 

> I have got ping from LAN to DMZ .. I do not have ping from DMZ to LAN
> Is there some restriction that I have mised?
>
> On Thu, Jan 8, 2009 at 12:28 PM, Aarno Aukia  wrote:
>
>> If you would like to send ping-replies from LAN to DMZ you might have to
>> add a "* * * 192.168.4.x * *" to LAN...
>>
>> -Aarno
>>
>> 2009/1/8 Peter Todorov 
>>
>> I add * * * 192.168.2.x * * to DMZ and LAN interfaces. I set thease rules
>>> to the top  but there is not even a ping from DMZ to 192.168.2.x. I get
>>> ping to LAN interface (192.168.2.1) from DMZ but not to any of computers
>>> attached to that interface.
>>>
>>> On Wed, Jan 7, 2009 at 6:19 PM, Gary Buckmaster <
>>> g...@centipedenetworks.com> wrote:
>>>
 Peter Todorov wrote:

> Hello,
> I have a LAN that have 192.168.2.0/24  and DMZ
> (second LAN) with 192.168.4.0/24 
> How can I access LAN from DMZ?
> pfsense 1.2 - dual WAN configuration.
> Thank you in advance for answers.
>
> --
> честността не е порок
>
>
 Typically this is inadvisable from a security standpoint.  However, in
 order to allow it, create firewall rules on your DMZ interface with the
 destination IP of the machine(s) you want to send to.
 !DSPAM:4964d6b815801234511312!



 -
 To unsubscribe, e-mail: support-unsubscr...@pfsense.com
 For additional commands, e-mail: support-h...@pfsense.com

 Commercial support available - https://portal.pfsense.org


>>>
>>>
>>> --
>>> честността не е порок
>>>
>>
>>
>>
>> --
>> Aarno Aukia
>> 0764000464
>>
>
>
>
> --
> честността не е порок
>

Re: [pfSense Support] DMZ to LAN access

[Peter Todorov]

I have got ping from LAN to DMZ .. I do not have ping from DMZ to LAN
Is there some restriction that I have mised?

On Thu, Jan 8, 2009 at 12:28 PM, Aarno Aukia  wrote:

> If you would like to send ping-replies from LAN to DMZ you might have to
> add a "* * * 192.168.4.x * *" to LAN...
>
> -Aarno
>
> 2009/1/8 Peter Todorov 
>
> I add * * * 192.168.2.x * * to DMZ and LAN interfaces. I set thease rules
>> to the top  but there is not even a ping from DMZ to 192.168.2.x. I get
>> ping to LAN interface (192.168.2.1) from DMZ but not to any of computers
>> attached to that interface.
>>
>> On Wed, Jan 7, 2009 at 6:19 PM, Gary Buckmaster <
>> g...@centipedenetworks.com> wrote:
>>
>>> Peter Todorov wrote:
>>>
 Hello,
 I have a LAN that have 192.168.2.0/24  and DMZ
 (second LAN) with 192.168.4.0/24 
 How can I access LAN from DMZ?
 pfsense 1.2 - dual WAN configuration.
 Thank you in advance for answers.

 --
 честността не е порок


>>> Typically this is inadvisable from a security standpoint.  However, in
>>> order to allow it, create firewall rules on your DMZ interface with the
>>> destination IP of the machine(s) you want to send to.
>>> !DSPAM:4964d6b815801234511312!
>>>
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>>> For additional commands, e-mail: support-h...@pfsense.com
>>>
>>> Commercial support available - https://portal.pfsense.org
>>>
>>>
>>
>>
>> --
>> честността не е порок
>>
>
>
>
> --
> Aarno Aukia
> 0764000464
>



-- 
честността не е порок

Re: [pfSense Support] DMZ to LAN access

[Aarno Aukia]

If you would like to send ping-replies from LAN to DMZ you might have to add
a "* * * 192.168.4.x * *" to LAN...

-Aarno

2009/1/8 Peter Todorov 

> I add * * * 192.168.2.x * * to DMZ and LAN interfaces. I set thease rules
> to the top  but there is not even a ping from DMZ to 192.168.2.x. I get
> ping to LAN interface (192.168.2.1) from DMZ but not to any of computers
> attached to that interface.
>
> On Wed, Jan 7, 2009 at 6:19 PM, Gary Buckmaster <
> g...@centipedenetworks.com> wrote:
>
>> Peter Todorov wrote:
>>
>>> Hello,
>>> I have a LAN that have 192.168.2.0/24  and DMZ
>>> (second LAN) with 192.168.4.0/24 
>>> How can I access LAN from DMZ?
>>> pfsense 1.2 - dual WAN configuration.
>>> Thank you in advance for answers.
>>>
>>> --
>>> честността не е порок
>>>
>>>
>> Typically this is inadvisable from a security standpoint.  However, in
>> order to allow it, create firewall rules on your DMZ interface with the
>> destination IP of the machine(s) you want to send to.
>> !DSPAM:4964d6b815801234511312!
>>
>>
>>
>> -
>> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
>> For additional commands, e-mail: support-h...@pfsense.com
>>
>> Commercial support available - https://portal.pfsense.org
>>
>>
>
>
> --
> честността не е порок
>



-- 
Aarno Aukia
0764000464

Re: [pfSense Support] DMZ to LAN access

[Peter Todorov]

I add * * * 192.168.2.x * * to DMZ and LAN interfaces. I set thease rules to
the top  but there is not even a ping from DMZ to 192.168.2.x. I get
ping to LAN interface (192.168.2.1) from DMZ but not to any of computers
attached to that interface.

On Wed, Jan 7, 2009 at 6:19 PM, Gary Buckmaster
wrote:

> Peter Todorov wrote:
>
>> Hello,
>> I have a LAN that have 192.168.2.0/24  and DMZ
>> (second LAN) with 192.168.4.0/24 
>> How can I access LAN from DMZ?
>> pfsense 1.2 - dual WAN configuration.
>> Thank you in advance for answers.
>>
>> --
>> честността не е порок
>>
>>
> Typically this is inadvisable from a security standpoint.  However, in
> order to allow it, create firewall rules on your DMZ interface with the
> destination IP of the machine(s) you want to send to.
> !DSPAM:4964d6b815801234511312!
>
>
>
> -
> To unsubscribe, e-mail: support-unsubscr...@pfsense.com
> For additional commands, e-mail: support-h...@pfsense.com
>
> Commercial support available - https://portal.pfsense.org
>
>


-- 
честността не е порок

Re: [pfSense Support] DMZ to LAN access

[Gary Buckmaster]

Peter Todorov wrote:

Hello,
I have a LAN that have 192.168.2.0/24  and DMZ 
(second LAN) with 192.168.4.0/24 

How can I access LAN from DMZ?
pfsense 1.2 - dual WAN configuration.
Thank you in advance for answers.

--
честността не е порок
 
Typically this is inadvisable from a security standpoint.  However, in 
order to allow it, create firewall rules on your DMZ interface with the 
destination IP of the machine(s) you want to send to. 


!DSPAM:4964d6b815801234511312!



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

[pfSense Support] DMZ to LAN access

[Peter Todorov]

Hello,
I have a LAN that have 192.168.2.0/24 and DMZ (second LAN) with
192.168.4.0/24
How can I access LAN from DMZ?
pfsense 1.2 - dual WAN configuration.
Thank you in advance for answers.

-- 
честността не е порок

Re: [pfSense Support] DMZ lan ping

[Curtis LaMasters]

Can you ping by IP?  If pfSense is blocking this you'll see it in the raw
logs.  SSH to the firewall and select option 10.

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com


On Thu, Oct 9, 2008 at 3:04 AM, Peter Todorov <[EMAIL PROTECTED]> wrote:

> 192.168.0.1 LAN
>--  --merlin
> | pfsense|
>-- ---taira
> 192.168.3.5 DMZ
>
>
>
>
>
>
> On Thu, Oct 9, 2008 at 10:49 AM, Tonix (Antonio Nati) <
> [EMAIL PROTECTED]> wrote:
>
>>  This is a dns resolution error.
>> Where is "merlin" resolved?
>>
>> Tonino
>>
>> Peter Todorov ha scritto:
>>
>> I stil cannot ping the LAN I get:
>>
>> su-2.05b# ping merlin
>> ping: cannot resolve merlin: Unknown host
>>
>> On Thu, Oct 9, 2008 at 4:31 AM, Chris Buechler <[EMAIL PROTECTED]>wrote:
>>
>>> 2008/10/8 Paul Mansfield <[EMAIL PROTECTED]>:
>>> >
>>> > icmp echo request on DMZ interface,
>>>
>>>  yes (in a firewall rule)
>>>
>>> > as well as a route to LAN on DMZ
>>>
>>>  which should be handled by the systems' default routes, assuming
>>> that's pfSense.
>>>
>>>
>>> > machines, and advanced NAT so that LAN isn't natted to DMZ
>>> >
>>>
>>>  No, only traffic leaving WAN interfaces gets NATed, not between
>>> internal interfaces.
>>>
>>> -
>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>
>>>
>>
>>
>> --
>> честността не е порок
>>
>>
>>
>> --
>> 
>> [EMAIL PROTECTED]Interazioni di Antonio Nati
>>http://www.interazioni.it  [EMAIL PROTECTED]
>> 
>>
>>
>
>
> --
> честността не е порок
>

Re: [pfSense Support] DMZ lan ping

[Peter Todorov]

192.168.0.1 LAN
   --  --merlin
| pfsense|
   -- ---taira
192.168.3.5 DMZ






On Thu, Oct 9, 2008 at 10:49 AM, Tonix (Antonio Nati)
<[EMAIL PROTECTED]>wrote:

>  This is a dns resolution error.
> Where is "merlin" resolved?
>
> Tonino
>
> Peter Todorov ha scritto:
>
> I stil cannot ping the LAN I get:
>
> su-2.05b# ping merlin
> ping: cannot resolve merlin: Unknown host
>
> On Thu, Oct 9, 2008 at 4:31 AM, Chris Buechler <[EMAIL PROTECTED]>wrote:
>
>> 2008/10/8 Paul Mansfield <[EMAIL PROTECTED]>:
>> >
>> > icmp echo request on DMZ interface,
>>
>>  yes (in a firewall rule)
>>
>> > as well as a route to LAN on DMZ
>>
>>  which should be handled by the systems' default routes, assuming
>> that's pfSense.
>>
>>
>> > machines, and advanced NAT so that LAN isn't natted to DMZ
>> >
>>
>>  No, only traffic leaving WAN interfaces gets NATed, not between
>> internal interfaces.
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>
>
> --
> честността не е порок
>
>
>
> --
> 
> [EMAIL PROTECTED]Interazioni di Antonio Nati
>http://www.interazioni.it  [EMAIL PROTECTED]
> 
>
>


-- 
честността не е порок

Re: [pfSense Support] DMZ lan ping

[Tonix (Antonio Nati)]

This is a dns resolution error.
Where is "merlin" resolved?

Tonino

Peter Todorov ha scritto:

I stil cannot ping the LAN I get:

su-2.05b# ping merlin
ping: cannot resolve merlin: Unknown host

On Thu, Oct 9, 2008 at 4:31 AM, Chris Buechler <[EMAIL PROTECTED] 
> wrote:


2008/10/8 Paul Mansfield <[EMAIL PROTECTED]
>:
>
> icmp echo request on DMZ interface,

yes (in a firewall rule)

> as well as a route to LAN on DMZ

which should be handled by the systems' default routes, assuming
that's pfSense.


> machines, and advanced NAT so that LAN isn't natted to DMZ
>

No, only traffic leaving WAN interfaces gets NATed, not between
internal interfaces.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: [EMAIL PROTECTED]





--
честността не е порок



--

   [EMAIL PROTECTED]Interazioni di Antonio Nati 
  http://www.interazioni.it  [EMAIL PROTECTED]   

Re: [pfSense Support] DMZ lan ping

[Peter Todorov]

I stil cannot ping the LAN I get:

su-2.05b# ping merlin
ping: cannot resolve merlin: Unknown host

On Thu, Oct 9, 2008 at 4:31 AM, Chris Buechler <[EMAIL PROTECTED]> wrote:

> 2008/10/8 Paul Mansfield <[EMAIL PROTECTED]>:
> >
> > icmp echo request on DMZ interface,
>
> yes (in a firewall rule)
>
> > as well as a route to LAN on DMZ
>
> which should be handled by the systems' default routes, assuming
> that's pfSense.
>
>
> > machines, and advanced NAT so that LAN isn't natted to DMZ
> >
>
> No, only traffic leaving WAN interfaces gets NATed, not between
> internal interfaces.
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>


-- 
честността не е порок

Re: [pfSense Support] DMZ lan ping

[Chris Buechler]

2008/10/8 Paul Mansfield <[EMAIL PROTECTED]>:
>
> icmp echo request on DMZ interface,

yes (in a firewall rule)

> as well as a route to LAN on DMZ

which should be handled by the systems' default routes, assuming
that's pfSense.


> machines, and advanced NAT so that LAN isn't natted to DMZ
>

No, only traffic leaving WAN interfaces gets NATed, not between
internal interfaces.

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ lan ping

[Curtis LaMasters]

On the DMZ interface..

Permit | ICMP |Type Echo | [DMZ Subnet or IP] | [LAN Subnet or IP]

or if you want to be lazy and less secure

Permit | ICMP | any | any

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com

Re: [pfSense Support] DMZ lan ping

[Paul Mansfield]

Peter Todorov wrote:
> What rule must I add to ping LAN from DMZ?
> 
> -- 
> ÞÅÓÔÎÏÓÔÔÁ ÎÅ Å ÐÏÒÏË

icmp echo request on DMZ interface, as well as a route to LAN on DMZ
machines, and advanced NAT so that LAN isn't natted to DMZ

?

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] DMZ lan ping

[Peter Todorov]

What rule must I add to ping LAN from DMZ?

-- 
честността не е порок

Re: [pfSense Support] DMZ and outside access question.

[Joe Laffey]

On Sun, 21 Sep 2008, JarekVB wrote:


I have one more question.

When I un-check Disable NAT Reflection I'm not able to VNC to my web
server (192.168.2.2 from 192.168.1.2) and even trying to go through WAN
it will still not connect.

Also trying to VNC from another network it sometimes connects and
sometimes does not.



I set my machines to use the pfsense DNS cache as their DNS. Then I set up 
entires for the machines on the DMZ. So when I resolve my webserver from 
within my network the DNS server hands back 192.168.x.x, but when resolved 
to the outside world it gets the WAN ip. This lets me just used DNS names 
all the time and it just works.


FTP can cause issues, though.

--
Joe Laffey|   Visual Effects for Film and Video
LAFFEY Computer Imaging   | -
St. Louis, MO |   Show Reel http://LAFFEY.tv/?e11846
USA   | -
. |-*- Digital Fusion Plugins -*-
--

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ and outside access question.

[JarekVB]

I have one more question.

When I un-check Disable NAT Reflection I'm not able to VNC to my web
server (192.168.2.2 from 192.168.1.2) and even trying to go through WAN
it will still not connect.

Also trying to VNC from another network it sometimes connects and
sometimes does not.

The web server is Ubuntu 8.04 box.

Thanks



On Fri, 2008-09-19 at 18:34 -0500, JarekVB wrote:
> That did the trick...
> 
> Thank you.
> 
> On Fri, 2008-09-19 at 13:25 +0100, Paul Mansfield wrote:
> > JarekVB wrote:
> > > Hello 
> > > 
> > > I was just wondering if there was a way to do this.
> > > I have DMZ computer setup with ip 192.168.2.1.
> > > On there I have WWW server (ip. 192.168.2.2).
> > > My normal LAN is setup with ip. 192.168.1.x.
> > > 
> > > What I want to do is be able to access my WWW server from my LAN using
> > > the WAN IP.
> > > 
> > > Is there a rule that I can setup that it will allow me to do that.
> > 
> > 
> > nat reflection?
> > 
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> > 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ and outside access question.

[JarekVB]

That did the trick...

Thank you.

On Fri, 2008-09-19 at 13:25 +0100, Paul Mansfield wrote:
> JarekVB wrote:
> > Hello 
> > 
> > I was just wondering if there was a way to do this.
> > I have DMZ computer setup with ip 192.168.2.1.
> > On there I have WWW server (ip. 192.168.2.2).
> > My normal LAN is setup with ip. 192.168.1.x.
> > 
> > What I want to do is be able to access my WWW server from my LAN using
> > the WAN IP.
> > 
> > Is there a rule that I can setup that it will allow me to do that.
> 
> 
> nat reflection?
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ and outside access question.

[Paul Mansfield]

JarekVB wrote:
> Hello 
> 
> I was just wondering if there was a way to do this.
> I have DMZ computer setup with ip 192.168.2.1.
> On there I have WWW server (ip. 192.168.2.2).
> My normal LAN is setup with ip. 192.168.1.x.
> 
> What I want to do is be able to access my WWW server from my LAN using
> the WAN IP.
> 
> Is there a rule that I can setup that it will allow me to do that.


nat reflection?

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] DMZ and outside access question.

[JarekVB]

Hello 

I was just wondering if there was a way to do this.
I have DMZ computer setup with ip 192.168.2.1.
On there I have WWW server (ip. 192.168.2.2).
My normal LAN is setup with ip. 192.168.1.x.

What I want to do is be able to access my WWW server from my LAN using
the WAN IP.

Is there a rule that I can setup that it will allow me to do that.

Thanks
--Jarek



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ firewall rule

[Curtis LaMasters]

Lucky guess.  I'm not sure what the solution is.  Can you paste your
firewall rules in regards to this situation.

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com


On Fri, Aug 22, 2008 at 1:48 PM, Phillip Gonzalez <[EMAIL PROTECTED]
> wrote:

> Curious as to what your hunch was about the high ports (5 thru 65535)
> as the 50K range are the ones that are getting blocked.
>
>
> Thanks,
>
> -phil
>
>
>
>
> > NAT issue?  That setup is a little out of the norm as you have pointed
> out
> > but it should still work.  An IP is and IP, a port is a port and a
> > protocol
> > is a protocol.  Doesn't get much simpler.  Does it happen to block just
> > high
> > ports (i.e. 5 thru 65535?) or is it random?
> >
> > Curtis LaMasters
> > http://www.curtis-lamasters.com
> > http://www.builtnetworks.com
> >
> >
> > On Thu, Aug 21, 2008 at 9:50 AM, Phillip Gonzalez
> > <[EMAIL PROTECTED]
> >> wrote:
> >
> >> weird problem i'm trying to figure out. i have pfsense 1.2 running and
> >> configured with 3 interfaces and a vpn tunnel. i'm trying to allow a
> >> public ip address access into my dmz.
> >>
> >> i have a rule setup to allow the public ip(static) using udp to the dmz
> >> subnet which is 10.0.0.0/24. the rule is configured to allow all UDP
> >> traffic sourced from any port access to my 10.0.0.0/24 destined for any
> >> port, from the defined static ip.
> >>
> >> the rule is configured on the WAN interface and is placed above the
> >> default drop all traffic rule.
> >>
> >>
> >> my problem is that sometimes the traffic passes as expected and other
> >> times it's blocked (as verified by my firewall logs) by the default drop
> >> all rule.
> >>
> >> i'm trying to allow access from one static ip address (my voip provider)
> >> into my dmz where my phone box sits. when it works my phone rings when
> >> the
> >> traffic is blocked obviously it doesn't ring.
> >>
> >> also, i have several other rules configured accross the multiple
> >> interfaces and they are all working as expected. furthermore, i would
> >> say
> >> that this current voice over ip rule that i'm having problems with works
> >> 85% of the time.
> >>
> >>
> >> ps; it would be nice if my voip provider (lingo) wouldn't span
> >> thousands
> >> of ports, which is why i'm allowing SRC port any --> DST port any from
> >> this static ip. calling their tech support doesn't help either they
> >> don't
> >> even know what ports i'm suppose to let through.
> >>
> >> any ideas?
> >>
> >> thanks,
> >>
> >> -phil
> >>
> >> -
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >>
> >>
> >
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

Re: [pfSense Support] DMZ firewall rule

[Phillip Gonzalez]

Curious as to what your hunch was about the high ports (5 thru 65535)
as the 50K range are the ones that are getting blocked.


Thanks,

-phil




> NAT issue?  That setup is a little out of the norm as you have pointed out
> but it should still work.  An IP is and IP, a port is a port and a
> protocol
> is a protocol.  Doesn't get much simpler.  Does it happen to block just
> high
> ports (i.e. 5 thru 65535?) or is it random?
>
> Curtis LaMasters
> http://www.curtis-lamasters.com
> http://www.builtnetworks.com
>
>
> On Thu, Aug 21, 2008 at 9:50 AM, Phillip Gonzalez
> <[EMAIL PROTECTED]
>> wrote:
>
>> weird problem i'm trying to figure out. i have pfsense 1.2 running and
>> configured with 3 interfaces and a vpn tunnel. i'm trying to allow a
>> public ip address access into my dmz.
>>
>> i have a rule setup to allow the public ip(static) using udp to the dmz
>> subnet which is 10.0.0.0/24. the rule is configured to allow all UDP
>> traffic sourced from any port access to my 10.0.0.0/24 destined for any
>> port, from the defined static ip.
>>
>> the rule is configured on the WAN interface and is placed above the
>> default drop all traffic rule.
>>
>>
>> my problem is that sometimes the traffic passes as expected and other
>> times it's blocked (as verified by my firewall logs) by the default drop
>> all rule.
>>
>> i'm trying to allow access from one static ip address (my voip provider)
>> into my dmz where my phone box sits. when it works my phone rings when
>> the
>> traffic is blocked obviously it doesn't ring.
>>
>> also, i have several other rules configured accross the multiple
>> interfaces and they are all working as expected. furthermore, i would
>> say
>> that this current voice over ip rule that i'm having problems with works
>> 85% of the time.
>>
>>
>> ps; it would be nice if my voip provider (lingo) wouldn't span
>> thousands
>> of ports, which is why i'm allowing SRC port any --> DST port any from
>> this static ip. calling their tech support doesn't help either they
>> don't
>> even know what ports i'm suppose to let through.
>>
>> any ideas?
>>
>> thanks,
>>
>> -phil
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ firewall rule

[Phillip Gonzalez]

Yes, it's always high ports.

thanks,

-phil



> NAT issue?  That setup is a little out of the norm as you have pointed out
> but it should still work.  An IP is and IP, a port is a port and a
> protocol
> is a protocol.  Doesn't get much simpler.  Does it happen to block just
> high
> ports (i.e. 5 thru 65535?) or is it random?
>
> Curtis LaMasters
> http://www.curtis-lamasters.com
> http://www.builtnetworks.com
>
>
> On Thu, Aug 21, 2008 at 9:50 AM, Phillip Gonzalez
> <[EMAIL PROTECTED]
>> wrote:
>
>> weird problem i'm trying to figure out. i have pfsense 1.2 running and
>> configured with 3 interfaces and a vpn tunnel. i'm trying to allow a
>> public ip address access into my dmz.
>>
>> i have a rule setup to allow the public ip(static) using udp to the dmz
>> subnet which is 10.0.0.0/24. the rule is configured to allow all UDP
>> traffic sourced from any port access to my 10.0.0.0/24 destined for any
>> port, from the defined static ip.
>>
>> the rule is configured on the WAN interface and is placed above the
>> default drop all traffic rule.
>>
>>
>> my problem is that sometimes the traffic passes as expected and other
>> times it's blocked (as verified by my firewall logs) by the default drop
>> all rule.
>>
>> i'm trying to allow access from one static ip address (my voip provider)
>> into my dmz where my phone box sits. when it works my phone rings when
>> the
>> traffic is blocked obviously it doesn't ring.
>>
>> also, i have several other rules configured accross the multiple
>> interfaces and they are all working as expected. furthermore, i would
>> say
>> that this current voice over ip rule that i'm having problems with works
>> 85% of the time.
>>
>>
>> ps; it would be nice if my voip provider (lingo) wouldn't span
>> thousands
>> of ports, which is why i'm allowing SRC port any --> DST port any from
>> this static ip. calling their tech support doesn't help either they
>> don't
>> even know what ports i'm suppose to let through.
>>
>> any ideas?
>>
>> thanks,
>>
>> -phil
>>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ firewall rule

[Curtis LaMasters]

NAT issue?  That setup is a little out of the norm as you have pointed out
but it should still work.  An IP is and IP, a port is a port and a protocol
is a protocol.  Doesn't get much simpler.  Does it happen to block just high
ports (i.e. 5 thru 65535?) or is it random?

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com


On Thu, Aug 21, 2008 at 9:50 AM, Phillip Gonzalez <[EMAIL PROTECTED]
> wrote:

> weird problem i'm trying to figure out. i have pfsense 1.2 running and
> configured with 3 interfaces and a vpn tunnel. i'm trying to allow a
> public ip address access into my dmz.
>
> i have a rule setup to allow the public ip(static) using udp to the dmz
> subnet which is 10.0.0.0/24. the rule is configured to allow all UDP
> traffic sourced from any port access to my 10.0.0.0/24 destined for any
> port, from the defined static ip.
>
> the rule is configured on the WAN interface and is placed above the
> default drop all traffic rule.
>
>
> my problem is that sometimes the traffic passes as expected and other
> times it's blocked (as verified by my firewall logs) by the default drop
> all rule.
>
> i'm trying to allow access from one static ip address (my voip provider)
> into my dmz where my phone box sits. when it works my phone rings when the
> traffic is blocked obviously it doesn't ring.
>
> also, i have several other rules configured accross the multiple
> interfaces and they are all working as expected. furthermore, i would say
> that this current voice over ip rule that i'm having problems with works
> 85% of the time.
>
>
> ps; it would be nice if my voip provider (lingo) wouldn't span  thousands
> of ports, which is why i'm allowing SRC port any --> DST port any from
> this static ip. calling their tech support doesn't help either they don't
> even know what ports i'm suppose to let through.
>
> any ideas?
>
> thanks,
>
> -phil
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

[pfSense Support] DMZ firewall rule

[Phillip Gonzalez]

weird problem i'm trying to figure out. i have pfsense 1.2 running and
configured with 3 interfaces and a vpn tunnel. i'm trying to allow a
public ip address access into my dmz.

i have a rule setup to allow the public ip(static) using udp to the dmz
subnet which is 10.0.0.0/24. the rule is configured to allow all UDP
traffic sourced from any port access to my 10.0.0.0/24 destined for any
port, from the defined static ip.

the rule is configured on the WAN interface and is placed above the
default drop all traffic rule.


my problem is that sometimes the traffic passes as expected and other
times it's blocked (as verified by my firewall logs) by the default drop
all rule.

i'm trying to allow access from one static ip address (my voip provider)
into my dmz where my phone box sits. when it works my phone rings when the
traffic is blocked obviously it doesn't ring.

also, i have several other rules configured accross the multiple
interfaces and they are all working as expected. furthermore, i would say
that this current voice over ip rule that i'm having problems with works
85% of the time.


ps; it would be nice if my voip provider (lingo) wouldn't span  thousands
of ports, which is why i'm allowing SRC port any --> DST port any from
this static ip. calling their tech support doesn't help either they don't
even know what ports i'm suppose to let through.

any ideas?

thanks,

-phil

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] DMZ

[Tim Dickson]

They are all the firewall itself, yes.

But they are all different interfaces - keep that in mind when you get to
your rules.

 

Pfsense processes rules as they enter the interface, so once you are "in"
you can go anywhere

-Tim

 

From: Anil Garg [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 04, 2008 4:37 PM
To: support@pfsense.com
Subject: [pfSense Support] DMZ

 

Progressing to DMZ with pfsense.

Say we have a WAN with 203.xxx.xxx.201 (IP provided by the IS)
Gateway is 203.xxx.xxx.001
DNS1 is 203.xxx.xxx.002
DNS2 is 203.xxx.xxx.003


LAN is 192.168.1.1/24  with NO DHCP
Not bridged to any interface

One server is configured as 192.168.1.10/32 
Gateway 192.168.1.1
DNS 192.168.1.1

DMZ is 192.168.100.1/24  with NO DHCP
Not bridged to any interface

One DMZ server is configured as 192.168.100.10/32 
Gateway 192.168.100.1  ===>>  Is this correct?
DNS 192.168.100.1  ===>>  Is this correct?

Am I right in assuming that after the firewall rules are applied

203.xxx.xxx.201   and
192.168.1.1  and
192.168.100.1   
are all same address of the firewall itself

Sorry if this is stupid question.

Best
Anil Garg

[pfSense Support] DMZ

[Anil Garg]

Progressing to DMZ with pfsense.

Say we have a WAN with 203.xxx.xxx.201 (IP provided by the IS)
Gateway is 203.xxx.xxx.001
DNS1 is 203.xxx.xxx.002
DNS2 is 203.xxx.xxx.003


LAN is 192.168.1.1/24  with NO DHCP
Not bridged to any interface

One server is configured as 192.168.1.10/32 
Gateway 192.168.1.1
DNS 192.168.1.1

DMZ is 192.168.100.1/24  with NO DHCP
 Not bridged to any interface
 
 One DMZ server is configured as 192.168.100.10/32 
 Gateway 192.168.100.1  ===>>  Is this correct?
 DNS 192.168.100.1  ===>>  Is this correct?

Am I right in assuming that after the firewall rules are applied

203.xxx.xxx.201   and
192.168.1.1  and
192.168.100.1   
are all same address of the firewall itself

Sorry if this is stupid question.

Best
Anil Garg

Re: [pfSense Support] DMZ (public IP) problem

[Android Andrew[:]]

Chris Buechler wrote:

On Tue, 2007-08-28 at 22:20 +0300, Android Andrew[:] wrote:

Does your ISP actually route those public IP's to your WAN IP? If not,
you'll need proxy ARP or CARP IP's for those addresses. Though when
using the IP's directly on the systems, you really need your ISP to
route the subnet to your WAN IP to avoid having to do that. 


Thank you Chris!
Yes, ISP routes these IP's to my WAN interface (if I set Virtual IP on 
WAN, I can ping it from outside). I tried to enable proxy ARP, but it 
took no effect.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ (public IP) problem

[Bill Marquette]

Or bridge DMZ to WAN.

--Bill

On 8/28/07, Chris Buechler <[EMAIL PROTECTED]> wrote:
> On Tue, 2007-08-28 at 22:20 +0300, Android Andrew[:] wrote:
> > Hello!
> > My situation:
> > I have router with several interfaces. There are two LANs with private
> > IPs, two DMZ with public IPs in my network. Public IP is assigned to
> > router's WAN interface.
> >
> > To disable address translation for DMZ I've checked "Enable advanced
> > outbound NAT" box in "Outbound NAT" menu, and I entered my own NAT
> > mappings for LANs.
> > I've entered simple firewall rules for all interfaces (permit any
> > protocol from any to any).
> > Everything works fine for LANs with private IPs (DHCP, DNS, traffic
> > shaping). But hosts on public IP in DMZ are not accessible from outside
> > (and can't connect to anywhere outside).
> > I can ping DMZ IPs from router, I can ping WAN IP from DMZ, I can ping
> > any outside IP from WAN interface, but I can't ping anything outside
> > from DMZ (or from DMZ interface of router)...
> >
>
> Does your ISP actually route those public IP's to your WAN IP? If not,
> you'll need proxy ARP or CARP IP's for those addresses. Though when
> using the IP's directly on the systems, you really need your ISP to
> route the subnet to your WAN IP to avoid having to do that.
>
>
>
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ (public IP) problem

[Chris Buechler]

On Tue, 2007-08-28 at 22:20 +0300, Android Andrew[:] wrote:
> Hello!
> My situation:
> I have router with several interfaces. There are two LANs with private
> IPs, two DMZ with public IPs in my network. Public IP is assigned to
> router's WAN interface.
> 
> To disable address translation for DMZ I've checked "Enable advanced
> outbound NAT" box in "Outbound NAT" menu, and I entered my own NAT
> mappings for LANs.
> I've entered simple firewall rules for all interfaces (permit any
> protocol from any to any).
> Everything works fine for LANs with private IPs (DHCP, DNS, traffic
> shaping). But hosts on public IP in DMZ are not accessible from outside
> (and can't connect to anywhere outside).
> I can ping DMZ IPs from router, I can ping WAN IP from DMZ, I can ping
> any outside IP from WAN interface, but I can't ping anything outside
> from DMZ (or from DMZ interface of router)...
> 

Does your ISP actually route those public IP's to your WAN IP? If not,
you'll need proxy ARP or CARP IP's for those addresses. Though when
using the IP's directly on the systems, you really need your ISP to
route the subnet to your WAN IP to avoid having to do that. 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] DMZ (public IP) problem

[Android Andrew[:]]

Hello!
My situation:
I have router with several interfaces. There are two LANs with private
IPs, two DMZ with public IPs in my network. Public IP is assigned to
router's WAN interface.

To disable address translation for DMZ I've checked "Enable advanced
outbound NAT" box in "Outbound NAT" menu, and I entered my own NAT
mappings for LANs.
I've entered simple firewall rules for all interfaces (permit any
protocol from any to any).
Everything works fine for LANs with private IPs (DHCP, DNS, traffic
shaping). But hosts on public IP in DMZ are not accessible from outside
(and can't connect to anywhere outside).
I can ping DMZ IPs from router, I can ping WAN IP from DMZ, I can ping
any outside IP from WAN interface, but I can't ping anything outside
from DMZ (or from DMZ interface of router)...

The same situation is with m0n0wall distro.

I'm using pfSense-1.2-RC2-LiveCD, I've read a handbook on
http://doc.m0n0.ch/handbook/nat-outbound.html , I've read forums, I've 
googled, but find no tips...


1. May be I've lost something else?
2. How can I diagnose this problem? (I can't use NAT1:1 solution)

Thanx,
Andrew.


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

AW: [pfSense Support] DMZ bridges with WAN

[Heiko Weber]

Thank you
Ok, I will try it at the weekend.
I report the status here.

Cu

Heiko
-Ursprüngliche Nachricht-
Von: Chris Buechler [mailto:[EMAIL PROTECTED] 
Gesendet: Montag, 15. August 2005 18:27
Cc: support@pfsense.com
Betreff: Re: [pfSense Support] DMZ bridges with WAN

On 8/15/05, Ted Crow <[EMAIL PROTECTED]> wrote:
> Yes, they are.  I couldn't do this with my old firewall either.  It's
> basically a classic DMZ, at least the way I always thought they should
> work.  Took me a bit to figure out what I was doing with this, but my
> bridge method works great.
> 

Very nice!  So the answer is, no, this is not a problem here like it
is with m0n0wall.

Thanks for the info Ted!

-cmb

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ bridges with WAN

[Chris Buechler]

On 8/15/05, Ted Crow <[EMAIL PROTECTED]> wrote:
> Yes, they are.  I couldn't do this with my old firewall either.  It's
> basically a classic DMZ, at least the way I always thought they should
> work.  Took me a bit to figure out what I was doing with this, but my
> bridge method works great.
> 

Very nice!  So the answer is, no, this is not a problem here like it
is with m0n0wall.

Thanks for the info Ted!

-cmb

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] DMZ bridges with WAN

[Ted Crow]

Yes, they are.  I couldn't do this with my old firewall either.  It's
basically a classic DMZ, at least the way I always thought they should
work.  Took me a bit to figure out what I was doing with this, but my
bridge method works great.

Private   | Public
IP Space  | IP Space
  |
LAN <-|-X---> WAN
  | |
  | V
  |DMZ
  |

I started out just using 1:1 NAT for my public access hosts, but chose
this route after realizing I would end up with a kludged Citrix
installation.  My poster boy, the Citrix server, currently sits in both
the DMZ and LAN, but only accepts inbound ICA connections via the
DMZ-connected interface, which saves me from having to fiddle with
"alt_addr" and having different firewall settings on my clients
depending on their location.  (I have Citrix users both inside and
outside the protected network, many who can't use VPNs.)

Ted Crow
MCP/W2K
Information Technology Manager
Tuttle Services, Inc.
(419) 228-6262 x 247
-Original Message-
From: Chris Buechler [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 15, 2005 11:11 AM
To: Ted Crow
Cc: support@pfsense.com
Subject: Re: [pfSense Support] DMZ bridges with WAN

Cool!  And your LAN hosts are behind NAT?  


On 8/15/05, Ted Crow <[EMAIL PROTECTED]> wrote:
> I currently have my WAN and an OPT interface bridged, rules then 
> govern traffic originating from both the LAN and WAN interfaces.  
> Servers connected to the OPT interface use addresses from our public
IP block.
> 
> I have had no trouble whatsoever with this config running pfSense
> 65.3->70.4 in a production environment.  In my setup, servers on this 
> DMZ can be accessed from both the LAN and WAN.
> 
> Ted Crow
> MCP/W2K
> Information Technology Manager
> Tuttle Services, Inc.
> (419) 228-6262 x 247
> -Original Message-
> From: Chris Buechler [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 15, 2005 10:10 AM
> Cc: support@pfsense.com
> Subject: Re: [pfSense Support] DMZ bridges with WAN
> 
> On 8/15/05, Heiko Weber <[EMAIL PROTECTED]> wrote:
> > Hi All,
> >
> > for now I use a m0n0wall as Firewall, but I have the problem that I 
> > want to use official IP Addresses in the DMZ. For that I had to 
> > bridge
> 
> > the DMZ with WAN. If I do this there is no traffic posible between 
> > LAN
> and DMZ.
> > My question: Does this work with pfsense or had I the same problem?
> >
> 
> we don't yet know, as we haven't had a chance to test that yet.  Try 
> it and let us know.
> 
> -cmb
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional

> commands, e-mail: [EMAIL PROTECTED]
> 
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ bridges with WAN

[Chris Buechler]

Cool!  And your LAN hosts are behind NAT?  


On 8/15/05, Ted Crow <[EMAIL PROTECTED]> wrote:
> I currently have my WAN and an OPT interface bridged, rules then govern
> traffic originating from both the LAN and WAN interfaces.  Servers
> connected to the OPT interface use addresses from our public IP block.
> 
> I have had no trouble whatsoever with this config running pfSense
> 65.3->70.4 in a production environment.  In my setup, servers on this
> DMZ can be accessed from both the LAN and WAN.
> 
> Ted Crow
> MCP/W2K
> Information Technology Manager
> Tuttle Services, Inc.
> (419) 228-6262 x 247
> -Original Message-
> From: Chris Buechler [mailto:[EMAIL PROTECTED]
> Sent: Monday, August 15, 2005 10:10 AM
> Cc: support@pfsense.com
> Subject: Re: [pfSense Support] DMZ bridges with WAN
> 
> On 8/15/05, Heiko Weber <[EMAIL PROTECTED]> wrote:
> > Hi All,
> >
> > for now I use a m0n0wall as Firewall, but I have the problem that I
> > want to use official IP Addresses in the DMZ. For that I had to bridge
> 
> > the DMZ with WAN. If I do this there is no traffic posible between LAN
> and DMZ.
> > My question: Does this work with pfsense or had I the same problem?
> >
> 
> we don't yet know, as we haven't had a chance to test that yet.  Try it
> and let us know.
> 
> -cmb
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
> commands, e-mail: [EMAIL PROTECTED]
> 
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: [pfSense Support] DMZ bridges with WAN

[Ted Crow]

I currently have my WAN and an OPT interface bridged, rules then govern
traffic originating from both the LAN and WAN interfaces.  Servers
connected to the OPT interface use addresses from our public IP block.

I have had no trouble whatsoever with this config running pfSense
65.3->70.4 in a production environment.  In my setup, servers on this
DMZ can be accessed from both the LAN and WAN.

Ted Crow
MCP/W2K
Information Technology Manager
Tuttle Services, Inc.
(419) 228-6262 x 247
-Original Message-
From: Chris Buechler [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 15, 2005 10:10 AM
Cc: support@pfsense.com
Subject: Re: [pfSense Support] DMZ bridges with WAN

On 8/15/05, Heiko Weber <[EMAIL PROTECTED]> wrote:
> Hi All,
> 
> for now I use a m0n0wall as Firewall, but I have the problem that I 
> want to use official IP Addresses in the DMZ. For that I had to bridge

> the DMZ with WAN. If I do this there is no traffic posible between LAN
and DMZ.
> My question: Does this work with pfsense or had I the same problem?
> 

we don't yet know, as we haven't had a chance to test that yet.  Try it
and let us know.

-cmb

-
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional
commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] DMZ bridges with WAN

[Chris Buechler]

On 8/15/05, Heiko Weber <[EMAIL PROTECTED]> wrote:
> Hi All,
> 
> for now I use a m0n0wall as Firewall, but I have the problem that I want
> to use official IP Addresses in the DMZ. For that I had to bridge the DMZ
> with WAN. If I do this there is no traffic posible between LAN and DMZ.
> My question: Does this work with pfsense or had I the same problem?
> 

we don't yet know, as we haven't had a chance to test that yet.  Try
it and let us know.

-cmb

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] DMZ bridges with WAN

[Heiko Weber]

Hi All,

for now I use a m0n0wall as Firewall, but I have the problem that I want
to use official IP Addresses in the DMZ. For that I had to bridge the DMZ
with WAN. If I do this there is no traffic posible between LAN and DMZ.
My question: Does this work with pfsense or had I the same problem?

thanks for help

Heiko


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]