Re: [pfSense Support] DMZ to LAN access
I try to install 1.2.2 get ,,hptrr: no controller detected. I check in pfsense forum and I found that I am not alone but I cant find solution to the problem yet. Any idea how to bypass this? On Sun, Jan 11, 2009 at 12:20 AM, Peter Todorov pmi...@gmail.com wrote: OK. I did console update from 1.2 to 1.2.2 and system doesn't boot again I guess I will try tomorow with fresh install of 1.2.2 and load backup files from 1.2. PS - - it is very old coputers Pentium I (with a ,,turbo button) On Sat, Jan 10, 2009 at 10:20 PM, Peter Todorov pmi...@gmail.com wrote: Curtis, I am not so sure that I will understand raw logs, but if you tel me I will pastebin every log. I just do not know where to look. Cris I see that my installation is very outdated. I have version 1.2 and now I will try now to update it via SSH and then I will see. On Fri, Jan 9, 2009 at 6:33 PM, RB aoz@gmail.com wrote: On Fri, Jan 9, 2009 at 08:31, Chris Buechler c...@pfsense.org wrote: You rarely want to NAT between internal interfaces. Ditto. The only internal NAT I have is when traversing from a trusted VLAN to an untrusted one (open wireless) to mask the systems. If your routing (primarily on the clients) is configured properly, the only thing you should have to do to enable DMZ-LAN is set an 'allow' rule for the specific traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок -- честността не е порок -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
Curtis, I am not so sure that I will understand raw logs, but if you tel me I will pastebin every log. I just do not know where to look. Cris I see that my installation is very outdated. I have version 1.2 and now I will try now to update it via SSH and then I will see. On Fri, Jan 9, 2009 at 6:33 PM, RB aoz@gmail.com wrote: On Fri, Jan 9, 2009 at 08:31, Chris Buechler c...@pfsense.org wrote: You rarely want to NAT between internal interfaces. Ditto. The only internal NAT I have is when traversing from a trusted VLAN to an untrusted one (open wireless) to mask the systems. If your routing (primarily on the clients) is configured properly, the only thing you should have to do to enable DMZ-LAN is set an 'allow' rule for the specific traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
OK. I did console update from 1.2 to 1.2.2 and system doesn't boot again I guess I will try tomorow with fresh install of 1.2.2 and load backup files from 1.2. PS - - it is very old coputers Pentium I (with a ,,turbo button) On Sat, Jan 10, 2009 at 10:20 PM, Peter Todorov pmi...@gmail.com wrote: Curtis, I am not so sure that I will understand raw logs, but if you tel me I will pastebin every log. I just do not know where to look. Cris I see that my installation is very outdated. I have version 1.2 and now I will try now to update it via SSH and then I will see. On Fri, Jan 9, 2009 at 6:33 PM, RB aoz@gmail.com wrote: On Fri, Jan 9, 2009 at 08:31, Chris Buechler c...@pfsense.org wrote: You rarely want to NAT between internal interfaces. Ditto. The only internal NAT I have is when traversing from a trusted VLAN to an untrusted one (open wireless) to mask the systems. If your routing (primarily on the clients) is configured properly, the only thing you should have to do to enable DMZ-LAN is set an 'allow' rule for the specific traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
Curtus, I am no so familiar with pfsense architecture to do SSh login and manual rewriting conf files. I have NAT yes it is AON because I have dual WAN configuration. I have only NAT between external and internal interfaces. I add some rules to bouth interfacese in the top just for test that has * * * * * * and * * * * * * . Still I got no ping from DMZ to LAN. Chris, Do I need to enable NAT between DMZ and LAN? Thank Peter On Thu, Jan 8, 2009 at 11:36 PM, Chris Buechler c...@pfsense.org wrote: 2009/1/8 Curtis LaMasters curtislamast...@gmail.com: Sounds like a NAT issue. Manually configure our outbound NAT or tell it not to NAT. Not necessary. Traffic between internal interfaces isn't NATed unless you enable AON and configure it to do so. The firewall rules on the DMZ interface don't allow pings most likely. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
I add NAT rule and I got connection On Fri, Jan 9, 2009 at 11:41 AM, Peter Todorov pmi...@gmail.com wrote: Maybe I need to update to 1.2.1 On Fri, Jan 9, 2009 at 11:32 AM, Eugen Leitl eu...@leitl.org wrote: On Fri, Jan 09, 2009 at 11:14:50AM +0200, Peter Todorov wrote: Yes the are now in second place (DMZ interface) ICMP DMZnet * * * * and ICMP LANnet * * * *. There are rules also on second place (LAN interface) ICMP DMZnet * * * * and ICMP LANnet * * * * . No ping from DMZ to LAN. Strange, I can ping my setup fine. No dual WAN, though. On Fri, Jan 9, 2009 at 10:59 AM, Eugen Leitl [1]eu...@leitl.org wrote: On Fri, Jan 09, 2009 at 10:15:26AM +0200, Peter Todorov wrote: Curtus, I am no so familiar with pfsense architecture to do SSh login and manual rewriting conf files. I have NAT yes it is AON because I have dual WAN configuration. I have only NAT between external and internal interfaces. I add some rules to bouth interfacese in the top just for test that has * * * * * * and * * * * * * . Still I got no ping from DMZ to LAN. Chris, Do I need to enable NAT between DMZ and LAN? There's a rule allowing ICMP between DMZ and LAN, yes? Thank Peter On Thu, Jan 8, 2009 at 11:36 PM, Chris Buechler [1][2]...@pfsense.org wrote: 2009/1/8 Curtis LaMasters [2][3]curtislamast...@gmail.com : Sounds like a NAT issue. Manually configure our outbound NAT or tell it not to NAT. Not necessary. Traffic between internal interfaces isn't NATed unless you enable AON and configure it to do so. The firewall rules on the DMZ interface don't allow pings most likely. - To unsubscribe, e-mail: [3][4]support-unsubscr...@pfsense.com For additional commands, e-mail: [4][5]support-h...@pfsense.com Commercial support available - [5][6]https://portal.pfsense.org -- �à �à à à References 1. mailto:[7]...@pfsense.org 2. mailto:[8]curtislamast...@gmail.com 3. mailto:[9]support-unsubscr...@pfsense.com 4. mailto:[10]support-h...@pfsense.com 5. [11]https://portal.pfsense.org/ -- Eugen* Leitl a href=[12]http://leitl.org;leitl/a [13]http://leitl.org __ ICBM: 48.07100, 11.36820 [14]http://www.ativel.com [15]http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE -- �е��но���а не е по�ок References 1. mailto:eu...@leitl.org 2. mailto:c...@pfsense.org 3. mailto:curtislamast...@gmail.com 4. mailto:support-unsubscr...@pfsense.com 5. mailto:support-h...@pfsense.com 6. https://portal.pfsense.org/ 7. mailto:c...@pfsense.org 8. mailto:curtislamast...@gmail.com 9. mailto:support-unsubscr...@pfsense.com 10. mailto:support-h...@pfsense.com 11. https://portal.pfsense.org/ 12. http://leitl.org/ 13. http://leitl.org/ 14. http://www.ativel.com/ 15. http://postbiota.org/ -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE -- честността не е порок -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
No need of manual configuration needed, actually I would not recommend that at all. I was referring to using the SSH console to review your raw logs for quicker diagnosis if it indeed was a firewall rule issue. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Jan 9, 2009 at 2:15 AM, Peter Todorov pmi...@gmail.com wrote: Curtus, I am no so familiar with pfsense architecture to do SSh login and manual rewriting conf files. I have NAT yes it is AON because I have dual WAN configuration. I have only NAT between external and internal interfaces. I add some rules to bouth interfacese in the top just for test that has * * * * * * and * * * * * * . Still I got no ping from DMZ to LAN. Chris, Do I need to enable NAT between DMZ and LAN? Thank Peter On Thu, Jan 8, 2009 at 11:36 PM, Chris Buechler c...@pfsense.org wrote: 2009/1/8 Curtis LaMasters curtislamast...@gmail.com: Sounds like a NAT issue. Manually configure our outbound NAT or tell it not to NAT. Not necessary. Traffic between internal interfaces isn't NATed unless you enable AON and configure it to do so. The firewall rules on the DMZ interface don't allow pings most likely. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
On Fri, Jan 9, 2009 at 3:15 AM, Peter Todorov pmi...@gmail.com wrote: Curtus, I am no so familiar with pfsense architecture to do SSh login and manual rewriting conf files. I have NAT yes it is AON because I have dual WAN configuration. That's not necessary. There is very old, outdated documentation somewhere apparently that tells people to do that since it comes up repeatedly. Could you point me to where you got that info? I would like to remove incorrect information. It'll work, but it's unnecessary and a step that's frequently not configured properly. I have only NAT between external and internal interfaces. I add some rules to bouth interfacese in the top just for test that has * * * * * * and * * * * * * . Still I got no ping from DMZ to LAN. Chris, Do I need to enable NAT between DMZ and LAN? You rarely want to NAT between internal interfaces. You shouldn't need AON at all unless you need static port. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DMZ to LAN access
On Fri, Jan 9, 2009 at 08:31, Chris Buechler c...@pfsense.org wrote: You rarely want to NAT between internal interfaces. Ditto. The only internal NAT I have is when traversing from a trusted VLAN to an untrusted one (open wireless) to mask the systems. If your routing (primarily on the clients) is configured properly, the only thing you should have to do to enable DMZ-LAN is set an 'allow' rule for the specific traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DMZ to LAN access
I add * * * 192.168.2.x * * to DMZ and LAN interfaces. I set thease rules to the top but there is not even a ping from DMZ to 192.168.2.x. I get ping to LAN interface (192.168.2.1) from DMZ but not to any of computers attached to that interface. On Wed, Jan 7, 2009 at 6:19 PM, Gary Buckmaster g...@centipedenetworks.comwrote: Peter Todorov wrote: Hello, I have a LAN that have 192.168.2.0/24 http://192.168.2.0/24 and DMZ (second LAN) with 192.168.4.0/24 http://192.168.4.0/24 How can I access LAN from DMZ? pfsense 1.2 - dual WAN configuration. Thank you in advance for answers. -- честността не е порок Typically this is inadvisable from a security standpoint. However, in order to allow it, create firewall rules on your DMZ interface with the destination IP of the machine(s) you want to send to. !DSPAM:4964d6b815801234511312! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
If you would like to send ping-replies from LAN to DMZ you might have to add a * * * 192.168.4.x * * to LAN... -Aarno 2009/1/8 Peter Todorov pmi...@gmail.com I add * * * 192.168.2.x * * to DMZ and LAN interfaces. I set thease rules to the top but there is not even a ping from DMZ to 192.168.2.x. I get ping to LAN interface (192.168.2.1) from DMZ but not to any of computers attached to that interface. On Wed, Jan 7, 2009 at 6:19 PM, Gary Buckmaster g...@centipedenetworks.com wrote: Peter Todorov wrote: Hello, I have a LAN that have 192.168.2.0/24 http://192.168.2.0/24 and DMZ (second LAN) with 192.168.4.0/24 http://192.168.4.0/24 How can I access LAN from DMZ? pfsense 1.2 - dual WAN configuration. Thank you in advance for answers. -- честността не е порок Typically this is inadvisable from a security standpoint. However, in order to allow it, create firewall rules on your DMZ interface with the destination IP of the machine(s) you want to send to. !DSPAM:4964d6b815801234511312! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок -- Aarno Aukia 0764000464
Re: [pfSense Support] DMZ to LAN access
I have got ping from LAN to DMZ .. I do not have ping from DMZ to LAN Is there some restriction that I have mised? On Thu, Jan 8, 2009 at 12:28 PM, Aarno Aukia m...@arska.ch wrote: If you would like to send ping-replies from LAN to DMZ you might have to add a * * * 192.168.4.x * * to LAN... -Aarno 2009/1/8 Peter Todorov pmi...@gmail.com I add * * * 192.168.2.x * * to DMZ and LAN interfaces. I set thease rules to the top but there is not even a ping from DMZ to 192.168.2.x. I get ping to LAN interface (192.168.2.1) from DMZ but not to any of computers attached to that interface. On Wed, Jan 7, 2009 at 6:19 PM, Gary Buckmaster g...@centipedenetworks.com wrote: Peter Todorov wrote: Hello, I have a LAN that have 192.168.2.0/24 http://192.168.2.0/24 and DMZ (second LAN) with 192.168.4.0/24 http://192.168.4.0/24 How can I access LAN from DMZ? pfsense 1.2 - dual WAN configuration. Thank you in advance for answers. -- честността не е порок Typically this is inadvisable from a security standpoint. However, in order to allow it, create firewall rules on your DMZ interface with the destination IP of the machine(s) you want to send to. !DSPAM:4964d6b815801234511312! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок -- Aarno Aukia 0764000464 -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
2009/1/8 Curtis LaMasters curtislamast...@gmail.com: Sounds like a NAT issue. Manually configure our outbound NAT or tell it not to NAT. Not necessary. Traffic between internal interfaces isn't NATed unless you enable AON and configure it to do so. The firewall rules on the DMZ interface don't allow pings most likely. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
[pfSense Support] DMZ to LAN access
Hello, I have a LAN that have 192.168.2.0/24 and DMZ (second LAN) with 192.168.4.0/24 How can I access LAN from DMZ? pfsense 1.2 - dual WAN configuration. Thank you in advance for answers. -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
Peter Todorov wrote: Hello, I have a LAN that have 192.168.2.0/24 http://192.168.2.0/24 and DMZ (second LAN) with 192.168.4.0/24 http://192.168.4.0/24 How can I access LAN from DMZ? pfsense 1.2 - dual WAN configuration. Thank you in advance for answers. -- честността не е порок Typically this is inadvisable from a security standpoint. However, in order to allow it, create firewall rules on your DMZ interface with the destination IP of the machine(s) you want to send to. !DSPAM:4964d6b815801234511312! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
