Netgate SG-1000 microFirewall

Author Topic: No internet access from DMZ(OPT1)  (Read 21654 times)

0 Members and 1 Guest are viewing this topic.

Offline patelbhavin8008

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
No internet access from DMZ(OPT1)
« on: July 02, 2013, 08:09:38 am »
Hi,

i am not able to access internet from DMZ(OPT1) interface. I have created rule in DMZ(OPT1) which is same as default rule in LAN for accessing internet. below is the rule for DMZ from firewall.

Proto   Source          Port   Destination   Port        Gateway   Queue
*    DMZ_LOCAL net    *        *             *           *            none    

is there any thing more i need to do.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21404
  • Karma: +1437/-26
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #1 on: July 02, 2013, 12:54:17 pm »
Check your outbound NAT (Firewall > NAT, Outbound tab)

if you're on manual outbound NAT, add rules for the DMZ subnet.

If you're on automatic outbound NAT it should already work, but make sure under Interfaces > DMZ that you do NOT have a gateway selected (only choose a gateway on WANs, not local interfaces)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #2 on: July 05, 2013, 11:03:20 am »
Total newbie here having the very similar issue.

I have created an outbound firewall rule for the OPT. I'm using automatic outbound NAT rule generation.

However on the "interface" page for OPT I have no gateway defined and no choice in the pop-up (although I have defined a gateway for the LAN part which works fine - I would hvw expected that geteway showing up there ?). If I try to manually add my WAN gateway I get a "please wait" message forever.

Pretty much stumped at this stage

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14479
  • Karma: +1342/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #3 on: July 05, 2013, 12:26:29 pm »
"However on the "interface" page for OPT I have no gateway defined and no choice in the pop-up"

Which is how it should be - its a LAN interface, it should NOT have gateway.

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #4 on: July 05, 2013, 12:32:44 pm »
Ok - understood.

So except for creating an outbound firewall rule is there anything else I should do to get internet access on my OPT subnet ? How should we go about diagnosing this ?

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #5 on: July 05, 2013, 02:28:19 pm »
Stab in the dark.  That rule you made.  Did you copy it from the original rule on the LAN interface or make a new rule from scratch?

Online johnpoz

  • Hero Member
  • *****
  • Posts: 14479
  • Karma: +1342/-200
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #6 on: July 05, 2013, 03:44:03 pm »
I have multiple opt interfaces, my wlan, dmz and only thing you need to do is create a firewall rule to allow the traffic you want..  It takes 10 seconds to setup another interface in pfsense - and only thing that should be required is allow the traffic on in the the firewall.

Since opt intefaces do not default to being open like the lan interface after setup.

If your having issues I would look to make sure your clients are correctly setup and can ping your opt interface IP, and what are they using for dns?  Is dns listening on opt interface if that is what clients are using, etc.

As to troubleshooting the issue - first things is can you ping the IP address you gave the opt interface from client on that network?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #7 on: July 05, 2013, 03:49:13 pm »
What I was wondering about is if maybe he set up the correct firewall rule but has the wrong interface selected.  This is easy to do if you copy a rule from LAN but don't change the interface.

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #8 on: July 05, 2013, 07:38:26 pm »
Hello

hmmm can't ping my OPT interface IP - oops, I should I thought about testing this first :(

So it does have DHCP working, the machine gets the expected IP, gateway and DNS (IP in the range specified, gw and dns = pfS) but it won't ping...

Here is my firewall setup in case I missed something obvious (quite possible)


Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #9 on: July 05, 2013, 07:48:11 pm »
Two things.

First, can you go back into your opt1 rule and change protocol to "any", source to opt1 net, then save and apply.

Then go to Status > filter reload.

Then test again.

Second, can you post a pic of your firewall > NAT > Outbound rules

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #10 on: July 05, 2013, 08:08:37 pm »
Thanks for your suggestions.

1. Tried to change the FW rule per your instructions - doesn't help.

2. Here is outbound rule (using automatic outbound NAT rule generation).



Guess it's time to delve in the logs...

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #11 on: July 05, 2013, 08:17:39 pm »
I also noticed that no one so far has asked about your IP assignments for LAN, which must be correct or you wouldn't be able to see the internet, and OPT1 which obviously has some issue.

Under Interfaces:
What is the LAN IP, subnet and range?  Like 192.168.1.1 and 192.168.1.0/24 for subnet?

Should have a similar setting for OPT1 interface.  Like 192.168.2.1 and 192.168.2.0/24 for subnet?

AND - I feel dumb for not asking sooner. 
Buttttttt....


Did you go into services > DHCP server and activate DHCP on OPT1 interface?  Thats a show stopper if you haven't.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #12 on: July 05, 2013, 10:25:10 pm »
I feel sorta bad that this didn't occur to me earlier.  I have this habit when working with pfsense of assigning new interface cards and new IPs and subnets from the text menu on pfsense. 

For instance, I'll drop in a new card.  Then I will go to the command line interface.  I'll select the # in the menu for assign interfaces.  From there, I'll assign the wan interface, lan and opt1. 

Then I will go to the menu # for assign interface IPs.

I'll leave wan alone.  It picks up IP by DHCP by default.
I'll set LAN IP like 192.168.1.1, select 24 for subnet, and set IP range for DHCP like 192.168.1.100 - 192.168.1.200

then I'll assign OPT1 interface IP at the command interface also.
I'll set LAN IP like 192.168.2.1, select 24 for subnet, and set IP range for DHCP like 192.168.2.100 - 192.168.2.200

(Its actually better if you pick IPs other than 192.168.x.x because they are so common but for this example, I used them because they are familiar to all)

The reason I assign my interfaces again from the command interface is because it FORCES me to do all the things I should at once.


If you did not use the command interface menu but instead use web gui, then you must:

1.  install the card
2.  Add the interface and check the MAC to be sure the interface you added has MAC matching the card you expect.
3.  Activate the interface and set as static and set interface IP (192.168.2.1) and /24
4.  Go to services > DHCP server - Click the Tab for OPT1 and activate DHCP and set the range like 192.168.2.100 - 192.168.2.200


Only after doing these steps are you ready to set up your OPT1 firewall rule to pass all.
That rule should apply to protocol all, interface OPT1, source OPT1 net...   I think that part is already correct on your machine.
« Last Edit: July 05, 2013, 10:35:09 pm by kejianshi »

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #13 on: July 06, 2013, 02:16:43 am »
Thanks for your patience...

Yes DHCP is up on OPT and I do get an IP in the expected IP range:



But can't ping the gateway (which is the OPT IP).

One additional potential issue is that we are here in a virtual (VMware) environment and the OPT NIC is completely virtual (i.e. "host only", connected to pfS and the Windows VM only, no physical NIC) but this has always worked fine so far for me (although these are my first steps with pfS).

If (virtually) connect the very same VM on the LAN card it works just fine.

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4956
  • Karma: +197/-41
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #14 on: July 06, 2013, 10:29:32 am »
"Can't ping the gatway which is the OPT IP"?

Shouldn't the gateway be the WAN IP?

Are you attempting to use OPT1 like a LAN interface or another WAN interface?

If you get internet through WAN and you plan to connect hosts via OPT1 then it should be set up nearly identically to your LAN interface.
That means that under interfaces > OPT1 you should have a static IP assigned and gateway should be set to "none".

So, maybe I am misunderstanding your reference to OPT and Gateway, but to me, it seems odd.  Could you clarify?