pfSense Support Subscription

Author Topic: No internet access from DMZ(OPT1)  (Read 21605 times)

0 Members and 1 Guest are viewing this topic.

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #15 on: July 06, 2013, 11:10:47 am »
Quote
"Can't ping the gatway which is the OPT IP"?
Shouldn't the gateway be the WAN IP?

My understanding is that within the context of the OPT subnet the gateway should be the OPT interface IP (and that's how it is set up by the DHCP server - 172.16.35.254 in my case, see my previous screenshot). As far as my networking knowledge goes any non local packets will be sent to 172.16.35.254 where they should be relayed further - presumably to the WAN gateway. Obviously if I can't ping 172.16.35.254 something is not working as expected...

Quote
Are you attempting to use OPT1 like a LAN interface or another WAN interface?

As another LAN.

Quote
If you get internet through WAN and you plan to connect hosts via OPT1 then it should be set up nearly identically to your LAN interface. That means that under interfaces > OPT1 you should have a static IP assigned and gateway should be set to "none".

That's what I'm having as far as I can tell:


Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4952
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #16 on: July 06, 2013, 11:46:28 am »
Just wondering here, because I have never done it the way you have it and I'm not sure if its an issue or not.

you have the static IP of that OPT1 interface set as 172.16.35.254.  Is your LAN set up similarly with a .254 in the last digit?

I'm not sure if that makes a difference at all with pfsense, but I have always placed the static IP at .1

like 172.16.35.1 /24

Offline Supermule

  • Hero Member
  • *****
  • Posts: 2530
  • Karma: +77/-102
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #17 on: July 06, 2013, 12:05:19 pm »
Have you enabled outbound NAT from the OPT1 interface?
Kind regards Brian


Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4952
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #18 on: July 06, 2013, 12:10:55 pm »
Earlier, he has a post of the outbound nat set to auto.
I don't use AUTO anymore, but instead use on manual and set up outbound NAT for each LAN interface manually.
I was going to go there next if changing static IP to .1 vs .254 had no effect.

However, supposedly on "auto", outbound NAT should handle its self.

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #19 on: July 06, 2013, 01:47:34 pm »
Ok I have changed the OPT IP to .1 to no avail (it was picked up correctly by the DHCP client after a renew).

I have also tried to create a manual outbound NAT rule:



Still no cigar...

That being said - and I would certainly not call myself an expert in this area - I would think that even if outbound NAT was fully turned off the .1 address should still ping ?

Oh BTW my ARP tables:

172.16.35.100    00:0c:29:ab:48:b0    ManagementVM      OPT1
172.16.10.210    00:0c:29:6c:f8:91    pfSdc.local    LAN
172.16.35.1    00:0c:29:6c:f8:9b       OPT1
172.16.10.62    3c:07:54:27:ff:55       LAN
#.#.46.18    00:0c:29:6c:f8:87       WAN
#.#.46.17    78:19:f7:f5:ed:c1       WAN

Seems correct (last two are my WAN addresses that I have anonymised).

172.16.35.100    is the DHCP client on the OPT network - correct
172.16.10.210    is the LAN IP for the firewall - correct
172.16.35.1    is the OPT IP for the firewall - correct
172.16.10.62    is the LAN IP for the client machine I am using to configure - also correct

Anyway... what's next ?

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4952
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #20 on: July 06, 2013, 01:59:52 pm »
Oh my.

Well, if it were me, I would have made:

interface:  WAN

NAT Address * (any)

Source is Fine.  172.16.35.0/24


You would need one of those to pass the LAN traffic also

interface: WAN

NAT Address * (any)

Source LAN subnet






« Last Edit: July 06, 2013, 02:02:15 pm by kejianshi »

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #21 on: July 06, 2013, 02:14:22 pm »
Something like that then:



?

Still no go :(

What do you make of my remark regarding ping vs. NAT ? Am I wrong to assume that ping should work regardless of NAT setup ?

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4952
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #22 on: July 06, 2013, 02:18:51 pm »
I would have made NAT address ANY.  You can lock it down later when it starts working.

"What do you make of my remark regarding ping vs. NAT ? Am I wrong to assume that ping should work regardless of NAT setup ?"

As far as should the address ping, that depends.  Where are you pinging from?  What interface?  LAN?

If so, I'd have to see your LAN firewall rules to know if traffic is allowed from the LAN to OPT1.
« Last Edit: July 06, 2013, 02:22:53 pm by kejianshi »

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #23 on: July 06, 2013, 02:34:37 pm »
Quote
I would have made NAT address ANY.  You can lock it down later when it starts working.

Hmm.. how would you do that in the following screen ?



Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4952
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #24 on: July 06, 2013, 02:50:06 pm »
What you have there looks correct on outbound NAT. 

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #25 on: July 06, 2013, 02:57:35 pm »
ok. It translates in the NAT WAN address setting you see in my 02:14:22 message.

And I am pinging within the 172.16.35.0 subnet (from the 172.16.35.100  machine). Interestingly I can't seem to ping that machine from the firewall either:

PING 172.16.35.100 (172.16.35.100) from 172.16.35.1: 56 data bytes

--- 172.16.35.100 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Whatever my issue I honestly don't think it's NAT forwarding...

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4952
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #26 on: July 06, 2013, 03:12:07 pm »
I agree that even with no outbound NAT configured you should be able to see the OPT1 interface from either the pfsense command prompt or a computer on the OPT1 LAN.   You say this is a VM?  What model of network card is your virtual interface assigned to OPT1 emulating?
« Last Edit: July 06, 2013, 03:21:29 pm by kejianshi »

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4952
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #27 on: July 06, 2013, 03:55:55 pm »
With this VM, what version of pfsense are you running?  Is this like a 2.1 snapshot?

Is there any reason you couldn't load a stable release and configure the interfaces immediately from the bootup on the console?

Reason I bring it up is that if you have inadvertantly clicked some tiny nit-noid setting that is breaking everything, that would clear it.

Also, if its a pfsense problem because you are living on the bleeding edge of releases, that might also fix your issue.

Just wondering about the options.

Offline biggsy

  • Hero Member
  • *****
  • Posts: 642
  • Karma: +16/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #28 on: July 06, 2013, 06:43:56 pm »
Quote
... bleeding edge of releases ...

Unlikely to be the problem. 

atakacs

- Is it ESXi you're using?  If so, does your network diagram pretty much look like the image below?
- Windows firewall off in the VM?
- After making firewall rule changes did you reset states or reboot pfSense

 

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4952
  • Karma: +196/-40
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #29 on: July 06, 2013, 10:04:08 pm »
In my experience, "stable" is for people who have some work they are trying to get done and "Beta" and "RC" are for tinkering or for when you just must have some feature not found in a full stable release.  Thats for everything, not just pfsense.

The reason I'd lean towards a clean reinstall of a stable release is he has about 18 hours invested in about 5 minutes worth of install and 2 minutes worth of firewall rule entries. At most, a complete reinstall plus re-entering the firewall rules might cost 7-10 minutes and we will know if it was just a silly button check, some weird one time glitch or if it just isn't about to work for him.  This forum is replete with people on snapshot releases rolling back to a previous install because some update broke their functionality, so I figured why not try rather than keep banging away on settings that at this point seem correct?