Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  pfSense English Support» Firewalling» Weird behavior on my DMZ (VMWare ESXi related?)
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: Weird behavior on my DMZ (VMWare ESXi related?)  (Read 762 times)
0 Members and 1 Guest are viewing this topic.
mox
Newbie
*
Offline Offline

Posts: 1


View Profile
« on: October 16, 2009, 06:49:30 pm »
I don't know why, I'm having some weird problems on my DMZ where some machines cannot access other DMZ machines.

My Setup is simple..
I am running a server with VMWare ESXi

pfsense have 3 interfaces (WAN, LAN and DMZ)

On the VMWare side:
WAN is on the vSwitch0 - Where I get A.B.C.67/255.255.255.224 from my ISP
LAN is on the vSwitch1
DMZ is on the vSwitch2

My DMZ is bridged to the WAN.

Here are the configs of the firewall/servers behind it.

Firewall IP: A.B.C.67/27 <-- VM
Firewall GW: A.B.C.65

DMZ Server IP (A): A.B.C.70/27 <-- VM
DMZ Server IP (B): A.B.C.72/27 <-- Physical
DMZ Server IP (C): A.B.C.73/27 <-- VM
DMZ Server GW: A.B.C.65

I have a rule under DMZ that let any DMZ Machine communicate with other DMZ Machines.

Proto  Source  Port  Destination  Port  Gateway  Schedule  Description
*        DMZ net *     *                *      *                           DMZ -> any

How come when I go check the System Logs I see things like that:
x   Oct 16 18:32:43  DMZ   A.B.C.73:1213   A.B.C.72:445  TCP
x   Oct 16 18:37:18  DMZ   A.B.C.73:1243   A.B.C.70:445  TCP
x   Oct 16 18:42:21  DMZ   A.B.C.70:1440   A.B.C.72:1433  TCP

A.B.C.73 tries to communicate with A.B.C.72 or A.B.C.70 on port 445 and it's blocked.
and A.B.C.70 tries tu communicate with A.B.C.72 on port 1433 and it's blocked.

PS, I have enabled "Bypass firewall rules for traffic on the same interface"

Please help me I'm about to become crazy!
Logged
bman2883
Newbie
*
Offline Offline

Posts: 8


View Profile
« Reply #1 on: October 29, 2009, 03:25:44 pm »
Try putting the DMZ in the same vswitch as the WAN, I don't think traffic passes between vswitches....
Logged
louis-m
Full Member
***
Offline Offline

Posts: 78


View Profile
« Reply #2 on: October 30, 2009, 04:31:09 am »
with esxi, you can have as many vswitches as you want on different vlans. traffic will not pass between them. you need a router and that is where pfsense comes in.
just slip a rule in there to allow traffic between your vlans on pfsense.
Logged
alien8
Newbie
*
Offline Offline

Posts: 2


View Profile
« Reply #3 on: February 09, 2010, 12:06:51 am »
so, since your WAN gateway IP address and your DMZ gateway IP address are the same, I'm pretty sure you need to bridge your WAN and DMZ interfaces.

you'll need to configure your network interfaces in ESXi to permit promiscuous mode in order for the bridging to work.

I have a similar setup and had similar results until i figured out the issues with bridging and promiscuous mode.

hope this helps.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC
Page created in 0.157 seconds with 19 queries.