Re: [pfSense Support] DMZ to LAN access
I try to install 1.2.2 get ,,hptrr: no controller detected. I check in pfsense forum and I found that I am not alone but I cant find solution to the problem yet. Any idea how to bypass this? On Sun, Jan 11, 2009 at 12:20 AM, Peter Todorov pmi...@gmail.com wrote: OK. I did console update from 1.2 to 1.2.2 and system doesn't boot again I guess I will try tomorow with fresh install of 1.2.2 and load backup files from 1.2. PS - - it is very old coputers Pentium I (with a ,,turbo button) On Sat, Jan 10, 2009 at 10:20 PM, Peter Todorov pmi...@gmail.com wrote: Curtis, I am not so sure that I will understand raw logs, but if you tel me I will pastebin every log. I just do not know where to look. Cris I see that my installation is very outdated. I have version 1.2 and now I will try now to update it via SSH and then I will see. On Fri, Jan 9, 2009 at 6:33 PM, RB aoz@gmail.com wrote: On Fri, Jan 9, 2009 at 08:31, Chris Buechler c...@pfsense.org wrote: You rarely want to NAT between internal interfaces. Ditto. The only internal NAT I have is when traversing from a trusted VLAN to an untrusted one (open wireless) to mask the systems. If your routing (primarily on the clients) is configured properly, the only thing you should have to do to enable DMZ-LAN is set an 'allow' rule for the specific traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок -- честността не е порок -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
Curtis, I am not so sure that I will understand raw logs, but if you tel me I will pastebin every log. I just do not know where to look. Cris I see that my installation is very outdated. I have version 1.2 and now I will try now to update it via SSH and then I will see. On Fri, Jan 9, 2009 at 6:33 PM, RB aoz@gmail.com wrote: On Fri, Jan 9, 2009 at 08:31, Chris Buechler c...@pfsense.org wrote: You rarely want to NAT between internal interfaces. Ditto. The only internal NAT I have is when traversing from a trusted VLAN to an untrusted one (open wireless) to mask the systems. If your routing (primarily on the clients) is configured properly, the only thing you should have to do to enable DMZ-LAN is set an 'allow' rule for the specific traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
OK. I did console update from 1.2 to 1.2.2 and system doesn't boot again I guess I will try tomorow with fresh install of 1.2.2 and load backup files from 1.2. PS - - it is very old coputers Pentium I (with a ,,turbo button) On Sat, Jan 10, 2009 at 10:20 PM, Peter Todorov pmi...@gmail.com wrote: Curtis, I am not so sure that I will understand raw logs, but if you tel me I will pastebin every log. I just do not know where to look. Cris I see that my installation is very outdated. I have version 1.2 and now I will try now to update it via SSH and then I will see. On Fri, Jan 9, 2009 at 6:33 PM, RB aoz@gmail.com wrote: On Fri, Jan 9, 2009 at 08:31, Chris Buechler c...@pfsense.org wrote: You rarely want to NAT between internal interfaces. Ditto. The only internal NAT I have is when traversing from a trusted VLAN to an untrusted one (open wireless) to mask the systems. If your routing (primarily on the clients) is configured properly, the only thing you should have to do to enable DMZ-LAN is set an 'allow' rule for the specific traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
Curtus, I am no so familiar with pfsense architecture to do SSh login and manual rewriting conf files. I have NAT yes it is AON because I have dual WAN configuration. I have only NAT between external and internal interfaces. I add some rules to bouth interfacese in the top just for test that has * * * * * * and * * * * * * . Still I got no ping from DMZ to LAN. Chris, Do I need to enable NAT between DMZ and LAN? Thank Peter On Thu, Jan 8, 2009 at 11:36 PM, Chris Buechler c...@pfsense.org wrote: 2009/1/8 Curtis LaMasters curtislamast...@gmail.com: Sounds like a NAT issue. Manually configure our outbound NAT or tell it not to NAT. Not necessary. Traffic between internal interfaces isn't NATed unless you enable AON and configure it to do so. The firewall rules on the DMZ interface don't allow pings most likely. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
I add NAT rule and I got connection On Fri, Jan 9, 2009 at 11:41 AM, Peter Todorov pmi...@gmail.com wrote: Maybe I need to update to 1.2.1 On Fri, Jan 9, 2009 at 11:32 AM, Eugen Leitl eu...@leitl.org wrote: On Fri, Jan 09, 2009 at 11:14:50AM +0200, Peter Todorov wrote: Yes the are now in second place (DMZ interface) ICMP DMZnet * * * * and ICMP LANnet * * * *. There are rules also on second place (LAN interface) ICMP DMZnet * * * * and ICMP LANnet * * * * . No ping from DMZ to LAN. Strange, I can ping my setup fine. No dual WAN, though. On Fri, Jan 9, 2009 at 10:59 AM, Eugen Leitl [1]eu...@leitl.org wrote: On Fri, Jan 09, 2009 at 10:15:26AM +0200, Peter Todorov wrote: Curtus, I am no so familiar with pfsense architecture to do SSh login and manual rewriting conf files. I have NAT yes it is AON because I have dual WAN configuration. I have only NAT between external and internal interfaces. I add some rules to bouth interfacese in the top just for test that has * * * * * * and * * * * * * . Still I got no ping from DMZ to LAN. Chris, Do I need to enable NAT between DMZ and LAN? There's a rule allowing ICMP between DMZ and LAN, yes? Thank Peter On Thu, Jan 8, 2009 at 11:36 PM, Chris Buechler [1][2]...@pfsense.org wrote: 2009/1/8 Curtis LaMasters [2][3]curtislamast...@gmail.com : Sounds like a NAT issue. Manually configure our outbound NAT or tell it not to NAT. Not necessary. Traffic between internal interfaces isn't NATed unless you enable AON and configure it to do so. The firewall rules on the DMZ interface don't allow pings most likely. - To unsubscribe, e-mail: [3][4]support-unsubscr...@pfsense.com For additional commands, e-mail: [4][5]support-h...@pfsense.com Commercial support available - [5][6]https://portal.pfsense.org -- �à �à à à References 1. mailto:[7]...@pfsense.org 2. mailto:[8]curtislamast...@gmail.com 3. mailto:[9]support-unsubscr...@pfsense.com 4. mailto:[10]support-h...@pfsense.com 5. [11]https://portal.pfsense.org/ -- Eugen* Leitl a href=[12]http://leitl.org;leitl/a [13]http://leitl.org __ ICBM: 48.07100, 11.36820 [14]http://www.ativel.com [15]http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE -- �е��но���а не е по�ок References 1. mailto:eu...@leitl.org 2. mailto:c...@pfsense.org 3. mailto:curtislamast...@gmail.com 4. mailto:support-unsubscr...@pfsense.com 5. mailto:support-h...@pfsense.com 6. https://portal.pfsense.org/ 7. mailto:c...@pfsense.org 8. mailto:curtislamast...@gmail.com 9. mailto:support-unsubscr...@pfsense.com 10. mailto:support-h...@pfsense.com 11. https://portal.pfsense.org/ 12. http://leitl.org/ 13. http://leitl.org/ 14. http://www.ativel.com/ 15. http://postbiota.org/ -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE -- честността не е порок -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
No need of manual configuration needed, actually I would not recommend that at all. I was referring to using the SSH console to review your raw logs for quicker diagnosis if it indeed was a firewall rule issue. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Jan 9, 2009 at 2:15 AM, Peter Todorov pmi...@gmail.com wrote: Curtus, I am no so familiar with pfsense architecture to do SSh login and manual rewriting conf files. I have NAT yes it is AON because I have dual WAN configuration. I have only NAT between external and internal interfaces. I add some rules to bouth interfacese in the top just for test that has * * * * * * and * * * * * * . Still I got no ping from DMZ to LAN. Chris, Do I need to enable NAT between DMZ and LAN? Thank Peter On Thu, Jan 8, 2009 at 11:36 PM, Chris Buechler c...@pfsense.org wrote: 2009/1/8 Curtis LaMasters curtislamast...@gmail.com: Sounds like a NAT issue. Manually configure our outbound NAT or tell it not to NAT. Not necessary. Traffic between internal interfaces isn't NATed unless you enable AON and configure it to do so. The firewall rules on the DMZ interface don't allow pings most likely. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
On Fri, Jan 9, 2009 at 3:15 AM, Peter Todorov pmi...@gmail.com wrote: Curtus, I am no so familiar with pfsense architecture to do SSh login and manual rewriting conf files. I have NAT yes it is AON because I have dual WAN configuration. That's not necessary. There is very old, outdated documentation somewhere apparently that tells people to do that since it comes up repeatedly. Could you point me to where you got that info? I would like to remove incorrect information. It'll work, but it's unnecessary and a step that's frequently not configured properly. I have only NAT between external and internal interfaces. I add some rules to bouth interfacese in the top just for test that has * * * * * * and * * * * * * . Still I got no ping from DMZ to LAN. Chris, Do I need to enable NAT between DMZ and LAN? You rarely want to NAT between internal interfaces. You shouldn't need AON at all unless you need static port. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DMZ to LAN access
On Fri, Jan 9, 2009 at 08:31, Chris Buechler c...@pfsense.org wrote: You rarely want to NAT between internal interfaces. Ditto. The only internal NAT I have is when traversing from a trusted VLAN to an untrusted one (open wireless) to mask the systems. If your routing (primarily on the clients) is configured properly, the only thing you should have to do to enable DMZ-LAN is set an 'allow' rule for the specific traffic. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DMZ to LAN access
I add * * * 192.168.2.x * * to DMZ and LAN interfaces. I set thease rules to the top but there is not even a ping from DMZ to 192.168.2.x. I get ping to LAN interface (192.168.2.1) from DMZ but not to any of computers attached to that interface. On Wed, Jan 7, 2009 at 6:19 PM, Gary Buckmaster g...@centipedenetworks.comwrote: Peter Todorov wrote: Hello, I have a LAN that have 192.168.2.0/24 http://192.168.2.0/24 and DMZ (second LAN) with 192.168.4.0/24 http://192.168.4.0/24 How can I access LAN from DMZ? pfsense 1.2 - dual WAN configuration. Thank you in advance for answers. -- честността не е порок Typically this is inadvisable from a security standpoint. However, in order to allow it, create firewall rules on your DMZ interface with the destination IP of the machine(s) you want to send to. !DSPAM:4964d6b815801234511312! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
If you would like to send ping-replies from LAN to DMZ you might have to add a * * * 192.168.4.x * * to LAN... -Aarno 2009/1/8 Peter Todorov pmi...@gmail.com I add * * * 192.168.2.x * * to DMZ and LAN interfaces. I set thease rules to the top but there is not even a ping from DMZ to 192.168.2.x. I get ping to LAN interface (192.168.2.1) from DMZ but not to any of computers attached to that interface. On Wed, Jan 7, 2009 at 6:19 PM, Gary Buckmaster g...@centipedenetworks.com wrote: Peter Todorov wrote: Hello, I have a LAN that have 192.168.2.0/24 http://192.168.2.0/24 and DMZ (second LAN) with 192.168.4.0/24 http://192.168.4.0/24 How can I access LAN from DMZ? pfsense 1.2 - dual WAN configuration. Thank you in advance for answers. -- честността не е порок Typically this is inadvisable from a security standpoint. However, in order to allow it, create firewall rules on your DMZ interface with the destination IP of the machine(s) you want to send to. !DSPAM:4964d6b815801234511312! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок -- Aarno Aukia 0764000464
Re: [pfSense Support] DMZ to LAN access
I have got ping from LAN to DMZ .. I do not have ping from DMZ to LAN Is there some restriction that I have mised? On Thu, Jan 8, 2009 at 12:28 PM, Aarno Aukia m...@arska.ch wrote: If you would like to send ping-replies from LAN to DMZ you might have to add a * * * 192.168.4.x * * to LAN... -Aarno 2009/1/8 Peter Todorov pmi...@gmail.com I add * * * 192.168.2.x * * to DMZ and LAN interfaces. I set thease rules to the top but there is not even a ping from DMZ to 192.168.2.x. I get ping to LAN interface (192.168.2.1) from DMZ but not to any of computers attached to that interface. On Wed, Jan 7, 2009 at 6:19 PM, Gary Buckmaster g...@centipedenetworks.com wrote: Peter Todorov wrote: Hello, I have a LAN that have 192.168.2.0/24 http://192.168.2.0/24 and DMZ (second LAN) with 192.168.4.0/24 http://192.168.4.0/24 How can I access LAN from DMZ? pfsense 1.2 - dual WAN configuration. Thank you in advance for answers. -- честността не е порок Typically this is inadvisable from a security standpoint. However, in order to allow it, create firewall rules on your DMZ interface with the destination IP of the machine(s) you want to send to. !DSPAM:4964d6b815801234511312! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org -- честността не е порок -- Aarno Aukia 0764000464 -- честността не е порок
Re: [pfSense Support] DMZ to LAN access
2009/1/8 Curtis LaMasters curtislamast...@gmail.com: Sounds like a NAT issue. Manually configure our outbound NAT or tell it not to NAT. Not necessary. Traffic between internal interfaces isn't NATed unless you enable AON and configure it to do so. The firewall rules on the DMZ interface don't allow pings most likely. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DMZ to LAN access
Peter Todorov wrote: Hello, I have a LAN that have 192.168.2.0/24 http://192.168.2.0/24 and DMZ (second LAN) with 192.168.4.0/24 http://192.168.4.0/24 How can I access LAN from DMZ? pfsense 1.2 - dual WAN configuration. Thank you in advance for answers. -- честността не е порок Typically this is inadvisable from a security standpoint. However, in order to allow it, create firewall rules on your DMZ interface with the destination IP of the machine(s) you want to send to. !DSPAM:4964d6b815801234511312! - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] DMZ lan ping
I stil cannot ping the LAN I get: su-2.05b# ping merlin ping: cannot resolve merlin: Unknown host On Thu, Oct 9, 2008 at 4:31 AM, Chris Buechler [EMAIL PROTECTED] wrote: 2008/10/8 Paul Mansfield [EMAIL PROTECTED]: icmp echo request on DMZ interface, yes (in a firewall rule) as well as a route to LAN on DMZ which should be handled by the systems' default routes, assuming that's pfSense. machines, and advanced NAT so that LAN isn't natted to DMZ No, only traffic leaving WAN interfaces gets NATed, not between internal interfaces. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- честността не е порок
Re: [pfSense Support] DMZ lan ping
This is a dns resolution error. Where is merlin resolved? Tonino Peter Todorov ha scritto: I stil cannot ping the LAN I get: su-2.05b# ping merlin ping: cannot resolve merlin: Unknown host On Thu, Oct 9, 2008 at 4:31 AM, Chris Buechler [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: 2008/10/8 Paul Mansfield [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]: icmp echo request on DMZ interface, yes (in a firewall rule) as well as a route to LAN on DMZ which should be handled by the systems' default routes, assuming that's pfSense. machines, and advanced NAT so that LAN isn't natted to DMZ No, only traffic leaving WAN interfaces gets NATed, not between internal interfaces. - To unsubscribe, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- честността не е порок -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED]
Re: [pfSense Support] DMZ lan ping
192.168.0.1 LAN -- --merlin | pfsense| -- ---taira 192.168.3.5 DMZ On Thu, Oct 9, 2008 at 10:49 AM, Tonix (Antonio Nati) [EMAIL PROTECTED]wrote: This is a dns resolution error. Where is merlin resolved? Tonino Peter Todorov ha scritto: I stil cannot ping the LAN I get: su-2.05b# ping merlin ping: cannot resolve merlin: Unknown host On Thu, Oct 9, 2008 at 4:31 AM, Chris Buechler [EMAIL PROTECTED]wrote: 2008/10/8 Paul Mansfield [EMAIL PROTECTED]: icmp echo request on DMZ interface, yes (in a firewall rule) as well as a route to LAN on DMZ which should be handled by the systems' default routes, assuming that's pfSense. machines, and advanced NAT so that LAN isn't natted to DMZ No, only traffic leaving WAN interfaces gets NATed, not between internal interfaces. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- честността не е порок -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] -- честността не е порок
Re: [pfSense Support] DMZ lan ping
Can you ping by IP? If pfSense is blocking this you'll see it in the raw logs. SSH to the firewall and select option 10. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Oct 9, 2008 at 3:04 AM, Peter Todorov [EMAIL PROTECTED] wrote: 192.168.0.1 LAN -- --merlin | pfsense| -- ---taira 192.168.3.5 DMZ On Thu, Oct 9, 2008 at 10:49 AM, Tonix (Antonio Nati) [EMAIL PROTECTED] wrote: This is a dns resolution error. Where is merlin resolved? Tonino Peter Todorov ha scritto: I stil cannot ping the LAN I get: su-2.05b# ping merlin ping: cannot resolve merlin: Unknown host On Thu, Oct 9, 2008 at 4:31 AM, Chris Buechler [EMAIL PROTECTED]wrote: 2008/10/8 Paul Mansfield [EMAIL PROTECTED]: icmp echo request on DMZ interface, yes (in a firewall rule) as well as a route to LAN on DMZ which should be handled by the systems' default routes, assuming that's pfSense. machines, and advanced NAT so that LAN isn't natted to DMZ No, only traffic leaving WAN interfaces gets NATed, not between internal interfaces. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- честността не е порок -- [EMAIL PROTECTED]Interazioni di Antonio Nati http://www.interazioni.it [EMAIL PROTECTED] -- честността не е порок
Re: [pfSense Support] DMZ lan ping
Peter Todorov wrote: What rule must I add to ping LAN from DMZ? -- ÞÅÓÔÎÏÓÔÔÁ ÎÅ Å ÐÏÒÏË icmp echo request on DMZ interface, as well as a route to LAN on DMZ machines, and advanced NAT so that LAN isn't natted to DMZ ? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DMZ lan ping
On the DMZ interface.. Permit | ICMP |Type Echo | [DMZ Subnet or IP] | [LAN Subnet or IP] or if you want to be lazy and less secure Permit | ICMP | any | any Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com
Re: [pfSense Support] DMZ lan ping
2008/10/8 Paul Mansfield [EMAIL PROTECTED]: icmp echo request on DMZ interface, yes (in a firewall rule) as well as a route to LAN on DMZ which should be handled by the systems' default routes, assuming that's pfSense. machines, and advanced NAT so that LAN isn't natted to DMZ No, only traffic leaving WAN interfaces gets NATed, not between internal interfaces. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DMZ and outside access question.
I have one more question. When I un-check Disable NAT Reflection I'm not able to VNC to my web server (192.168.2.2 from 192.168.1.2) and even trying to go through WAN it will still not connect. Also trying to VNC from another network it sometimes connects and sometimes does not. The web server is Ubuntu 8.04 box. Thanks On Fri, 2008-09-19 at 18:34 -0500, JarekVB wrote: That did the trick... Thank you. On Fri, 2008-09-19 at 13:25 +0100, Paul Mansfield wrote: JarekVB wrote: Hello I was just wondering if there was a way to do this. I have DMZ computer setup with ip 192.168.2.1. On there I have WWW server (ip. 192.168.2.2). My normal LAN is setup with ip. 192.168.1.x. What I want to do is be able to access my WWW server from my LAN using the WAN IP. Is there a rule that I can setup that it will allow me to do that. nat reflection? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DMZ and outside access question.
On Sun, 21 Sep 2008, JarekVB wrote: I have one more question. When I un-check Disable NAT Reflection I'm not able to VNC to my web server (192.168.2.2 from 192.168.1.2) and even trying to go through WAN it will still not connect. Also trying to VNC from another network it sometimes connects and sometimes does not. I set my machines to use the pfsense DNS cache as their DNS. Then I set up entires for the machines on the DMZ. So when I resolve my webserver from within my network the DNS server hands back 192.168.x.x, but when resolved to the outside world it gets the WAN ip. This lets me just used DNS names all the time and it just works. FTP can cause issues, though. -- Joe Laffey| Visual Effects for Film and Video LAFFEY Computer Imaging | - St. Louis, MO | Show Reel http://LAFFEY.tv/?e11846 USA | - . |-*- Digital Fusion Plugins -*- -- - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DMZ and outside access question.
JarekVB wrote: Hello I was just wondering if there was a way to do this. I have DMZ computer setup with ip 192.168.2.1. On there I have WWW server (ip. 192.168.2.2). My normal LAN is setup with ip. 192.168.1.x. What I want to do is be able to access my WWW server from my LAN using the WAN IP. Is there a rule that I can setup that it will allow me to do that. nat reflection? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DMZ and outside access question.
That did the trick... Thank you. On Fri, 2008-09-19 at 13:25 +0100, Paul Mansfield wrote: JarekVB wrote: Hello I was just wondering if there was a way to do this. I have DMZ computer setup with ip 192.168.2.1. On there I have WWW server (ip. 192.168.2.2). My normal LAN is setup with ip. 192.168.1.x. What I want to do is be able to access my WWW server from my LAN using the WAN IP. Is there a rule that I can setup that it will allow me to do that. nat reflection? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DMZ firewall rule
Curious as to what your hunch was about the high ports (5 thru 65535) as the 50K range are the ones that are getting blocked. Thanks, -phil NAT issue? That setup is a little out of the norm as you have pointed out but it should still work. An IP is and IP, a port is a port and a protocol is a protocol. Doesn't get much simpler. Does it happen to block just high ports (i.e. 5 thru 65535?) or is it random? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Aug 21, 2008 at 9:50 AM, Phillip Gonzalez [EMAIL PROTECTED] wrote: weird problem i'm trying to figure out. i have pfsense 1.2 running and configured with 3 interfaces and a vpn tunnel. i'm trying to allow a public ip address access into my dmz. i have a rule setup to allow the public ip(static) using udp to the dmz subnet which is 10.0.0.0/24. the rule is configured to allow all UDP traffic sourced from any port access to my 10.0.0.0/24 destined for any port, from the defined static ip. the rule is configured on the WAN interface and is placed above the default drop all traffic rule. my problem is that sometimes the traffic passes as expected and other times it's blocked (as verified by my firewall logs) by the default drop all rule. i'm trying to allow access from one static ip address (my voip provider) into my dmz where my phone box sits. when it works my phone rings when the traffic is blocked obviously it doesn't ring. also, i have several other rules configured accross the multiple interfaces and they are all working as expected. furthermore, i would say that this current voice over ip rule that i'm having problems with works 85% of the time. ps; it would be nice if my voip provider (lingo) wouldn't span thousands of ports, which is why i'm allowing SRC port any -- DST port any from this static ip. calling their tech support doesn't help either they don't even know what ports i'm suppose to let through. any ideas? thanks, -phil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DMZ firewall rule
Lucky guess. I'm not sure what the solution is. Can you paste your firewall rules in regards to this situation. Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Fri, Aug 22, 2008 at 1:48 PM, Phillip Gonzalez [EMAIL PROTECTED] wrote: Curious as to what your hunch was about the high ports (5 thru 65535) as the 50K range are the ones that are getting blocked. Thanks, -phil NAT issue? That setup is a little out of the norm as you have pointed out but it should still work. An IP is and IP, a port is a port and a protocol is a protocol. Doesn't get much simpler. Does it happen to block just high ports (i.e. 5 thru 65535?) or is it random? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Aug 21, 2008 at 9:50 AM, Phillip Gonzalez [EMAIL PROTECTED] wrote: weird problem i'm trying to figure out. i have pfsense 1.2 running and configured with 3 interfaces and a vpn tunnel. i'm trying to allow a public ip address access into my dmz. i have a rule setup to allow the public ip(static) using udp to the dmz subnet which is 10.0.0.0/24. the rule is configured to allow all UDP traffic sourced from any port access to my 10.0.0.0/24 destined for any port, from the defined static ip. the rule is configured on the WAN interface and is placed above the default drop all traffic rule. my problem is that sometimes the traffic passes as expected and other times it's blocked (as verified by my firewall logs) by the default drop all rule. i'm trying to allow access from one static ip address (my voip provider) into my dmz where my phone box sits. when it works my phone rings when the traffic is blocked obviously it doesn't ring. also, i have several other rules configured accross the multiple interfaces and they are all working as expected. furthermore, i would say that this current voice over ip rule that i'm having problems with works 85% of the time. ps; it would be nice if my voip provider (lingo) wouldn't span thousands of ports, which is why i'm allowing SRC port any -- DST port any from this static ip. calling their tech support doesn't help either they don't even know what ports i'm suppose to let through. any ideas? thanks, -phil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DMZ firewall rule
Yes, it's always high ports. thanks, -phil NAT issue? That setup is a little out of the norm as you have pointed out but it should still work. An IP is and IP, a port is a port and a protocol is a protocol. Doesn't get much simpler. Does it happen to block just high ports (i.e. 5 thru 65535?) or is it random? Curtis LaMasters http://www.curtis-lamasters.com http://www.builtnetworks.com On Thu, Aug 21, 2008 at 9:50 AM, Phillip Gonzalez [EMAIL PROTECTED] wrote: weird problem i'm trying to figure out. i have pfsense 1.2 running and configured with 3 interfaces and a vpn tunnel. i'm trying to allow a public ip address access into my dmz. i have a rule setup to allow the public ip(static) using udp to the dmz subnet which is 10.0.0.0/24. the rule is configured to allow all UDP traffic sourced from any port access to my 10.0.0.0/24 destined for any port, from the defined static ip. the rule is configured on the WAN interface and is placed above the default drop all traffic rule. my problem is that sometimes the traffic passes as expected and other times it's blocked (as verified by my firewall logs) by the default drop all rule. i'm trying to allow access from one static ip address (my voip provider) into my dmz where my phone box sits. when it works my phone rings when the traffic is blocked obviously it doesn't ring. also, i have several other rules configured accross the multiple interfaces and they are all working as expected. furthermore, i would say that this current voice over ip rule that i'm having problems with works 85% of the time. ps; it would be nice if my voip provider (lingo) wouldn't span thousands of ports, which is why i'm allowing SRC port any -- DST port any from this static ip. calling their tech support doesn't help either they don't even know what ports i'm suppose to let through. any ideas? thanks, -phil - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] DMZ
They are all the firewall itself, yes. But they are all different interfaces - keep that in mind when you get to your rules. Pfsense processes rules as they enter the interface, so once you are in you can go anywhere -Tim From: Anil Garg [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 04, 2008 4:37 PM To: support@pfsense.com Subject: [pfSense Support] DMZ Progressing to DMZ with pfsense. Say we have a WAN with 203.xxx.xxx.201 (IP provided by the IS) Gateway is 203.xxx.xxx.001 DNS1 is 203.xxx.xxx.002 DNS2 is 203.xxx.xxx.003 LAN is 192.168.1.1/24 with NO DHCP Not bridged to any interface One server is configured as 192.168.1.10/32 Gateway 192.168.1.1 DNS 192.168.1.1 DMZ is 192.168.100.1/24 with NO DHCP Not bridged to any interface One DMZ server is configured as 192.168.100.10/32 Gateway 192.168.100.1 === Is this correct? DNS 192.168.100.1 === Is this correct? Am I right in assuming that after the firewall rules are applied 203.xxx.xxx.201 and 192.168.1.1 and 192.168.100.1 are all same address of the firewall itself Sorry if this is stupid question. Best Anil Garg
Re: [pfSense Support] DMZ (public IP) problem
Chris Buechler wrote: On Tue, 2007-08-28 at 22:20 +0300, Android Andrew[:] wrote: Does your ISP actually route those public IP's to your WAN IP? If not, you'll need proxy ARP or CARP IP's for those addresses. Though when using the IP's directly on the systems, you really need your ISP to route the subnet to your WAN IP to avoid having to do that. Thank you Chris! Yes, ISP routes these IP's to my WAN interface (if I set Virtual IP on WAN, I can ping it from outside). I tried to enable proxy ARP, but it took no effect. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DMZ (public IP) problem
On Tue, 2007-08-28 at 22:20 +0300, Android Andrew[:] wrote: Hello! My situation: I have router with several interfaces. There are two LANs with private IPs, two DMZ with public IPs in my network. Public IP is assigned to router's WAN interface. To disable address translation for DMZ I've checked Enable advanced outbound NAT box in Outbound NAT menu, and I entered my own NAT mappings for LANs. I've entered simple firewall rules for all interfaces (permit any protocol from any to any). Everything works fine for LANs with private IPs (DHCP, DNS, traffic shaping). But hosts on public IP in DMZ are not accessible from outside (and can't connect to anywhere outside). I can ping DMZ IPs from router, I can ping WAN IP from DMZ, I can ping any outside IP from WAN interface, but I can't ping anything outside from DMZ (or from DMZ interface of router)... Does your ISP actually route those public IP's to your WAN IP? If not, you'll need proxy ARP or CARP IP's for those addresses. Though when using the IP's directly on the systems, you really need your ISP to route the subnet to your WAN IP to avoid having to do that. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DMZ (public IP) problem
Or bridge DMZ to WAN. --Bill On 8/28/07, Chris Buechler [EMAIL PROTECTED] wrote: On Tue, 2007-08-28 at 22:20 +0300, Android Andrew[:] wrote: Hello! My situation: I have router with several interfaces. There are two LANs with private IPs, two DMZ with public IPs in my network. Public IP is assigned to router's WAN interface. To disable address translation for DMZ I've checked Enable advanced outbound NAT box in Outbound NAT menu, and I entered my own NAT mappings for LANs. I've entered simple firewall rules for all interfaces (permit any protocol from any to any). Everything works fine for LANs with private IPs (DHCP, DNS, traffic shaping). But hosts on public IP in DMZ are not accessible from outside (and can't connect to anywhere outside). I can ping DMZ IPs from router, I can ping WAN IP from DMZ, I can ping any outside IP from WAN interface, but I can't ping anything outside from DMZ (or from DMZ interface of router)... Does your ISP actually route those public IP's to your WAN IP? If not, you'll need proxy ARP or CARP IP's for those addresses. Though when using the IP's directly on the systems, you really need your ISP to route the subnet to your WAN IP to avoid having to do that. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]