Netgate SG-1000 microFirewall

Author Topic: No internet access from DMZ(OPT1)  (Read 21555 times)

0 Members and 1 Guest are viewing this topic.

Offline biggsy

  • Hero Member
  • *****
  • Posts: 641
  • Karma: +16/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #30 on: July 06, 2013, 11:14:35 pm »
My comment was not meant as a criticism of your suggestion.  Just pointing out that there are also lots of people running 2.1 successfully.  Many of them, including the developers, also run them as VMs. 

You are, of course, completely justified in being wary of beta or RC software and I agree that it doesn't take a lot of work to fire-up a new pfSense VM, do a clean install and configure from scratch. 

I don't know atakacs' motivation for using 2.1 but, honestly, I doubt that is the problem.   Changing to a release version now won't help establish whether it was a "silly button click" or something else. 

A reset to factory defaults and reconfigure might be good compromise.  If 2.1 was to blame then we might find a solution or, at least, identify a bug - to everyone's benefit.

Either way, there are questions from both of us that probably need to be answered first. 

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4949
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #31 on: July 06, 2013, 11:20:38 pm »
Yeah - I'd almost like to SSH to his box, proxy to his web interface and check all the menus and settings, but that would be sort of like handing me the keys to his shiny new car.  Without seeing all of the menus and checking the firewall settings on the hypervisor, I'm sort of at a loss.

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #32 on: July 07, 2013, 02:53:18 am »
Hello

yes my networking is fairly similar



I have instantiated another VM on the OPT LAN an interestingly enough both machine can't ping each other, although they both get DCHP leases correctly from pfSense. .

So I have created another "local lan" and connected both VM to it (no pfs involved). They still can't ping each other (manual IP). Very odd. It's clearly an issue with ESXi itself although I have done such "host only" setups dozen times without any problem...

So I'll get back to you once this is sorted out


Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4949
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #33 on: July 07, 2013, 03:12:24 am »
OK - I'm switching from advice mode to learning mode.  When you sort it out, please post.  I'm interested in why such a (seemingly) crazy simple install isn't working.

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #34 on: July 07, 2013, 03:17:53 am »
Ok further update...

The VM could not ping each other because of the Windows firewall - I muss confess that I did not notice that "out of the box" win2008r2 server would not respond to pings - my bad.

So with firewalls turned off I can now ping between the two VMs. I can also ping from pfS either VM. Still can ping from the VM to pfS, nor, obviously, access internet.

Next step - full 2.0.3 reinstall... stay tuned.
« Last Edit: July 07, 2013, 03:19:32 am by atakacs »

Offline atakacs

  • Newbie
  • *
  • Posts: 17
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #35 on: July 07, 2013, 12:36:15 pm »
Few hours and a full reinstall ... everything works as expected !!

Really weird as I honestly don't rember doing anything differently this time... but ok we are up & running and that's the point !

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4949
  • Karma: +195/-40
  • Debugging...
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #36 on: July 07, 2013, 01:10:39 pm »
I'm shocked!

(Not so much)  -  I'm glad its all good.
Tenacity usually pays off.

Offline Supermule

  • Hero Member
  • *****
  • Posts: 2530
  • Karma: +77/-102
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #37 on: July 31, 2014, 01:11:42 pm »
I see the same with 2.1.4 release. 2.0.3 works fine but AMD64 2.1.4 doesnt...

Thinking of trying the I386 version.....
Kind regards Brian


Offline AndyO

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: No internet access from DMZ(OPT1)
« Reply #38 on: December 06, 2017, 06:54:39 am »
Have just had a similar issue to this topic - setting up a DMZ using pfsense (v2.4.2) running on ESXi (6.5) - the DMZ was not passing traffic through, could not ping in or out of the DMZ etc., despite the addressing & routing appearing correct...

What I eventually noticed was that the DMZ interface had picked up the wrong network port - my setup has a PPOE connection for the WAN (BT Infinity FTTC in the UK) and this network port (em1) has two entries - works fine, not an issue but such is life...

To get the set up working again, I removed the interface from pfsense, I also removed the entire v-switch & v-nics from ESX (probably not required), then set up the new v-switch, port group, v-nics and pfsense configuration again - needed several reboots of pfsense but quicker than re-installing.

The issues I had appear to have been caused by my mis-configuration of the new interface in pfsense, but then the 'correction' not allowing traffic to route as expected - setting up the new interface from scratch using the same settings worked first time, took 5 mins after several hours of fault finding.

I probably made things harder for myself by not testing the firewall rules as I set them up first time round...

So in pfsense - once the new interface is presented & the system has been rebooted (if it's been added as a new interface to an existing setup), then
1. configure in interfaces / assignments
2. set up your firewall rules to allow DMZ access out - test - if not working then probably fault find before continuing
3. set up your firewall rules to restrict DMZ access out (e.g. block access to the LAN) - test
4. set up your firewall rules to allow e.g. DNS lookups to to the router (if required); may need a NAT rule; test e.g. by pinging 8.8.8.8 & www.google.com
5. set up port forwards to the DMZ from the WAN as required; test
6. check the firewall rules are in the correct order... & test
« Last Edit: December 06, 2017, 06:58:52 am by AndyO »