The pfSense Store

Author Topic: Access DMZ to WAN  (Read 3041 times)

0 Members and 1 Guest are viewing this topic.

Offline jordan49

  • Newbie
  • *
  • Posts: 12
    • View Profile
Access DMZ to WAN
« on: April 18, 2008, 04:47:46 am »
Hi all,

I would like to have an access in DMZ to the WAN. My interfaces are :

LAN : 10.0.0.50/8
  - PC : 10.0.0.10 => Access WAN OK
    Gateway : 10.0.0.50
    Dns Server : 10.0.0.50

DMZ : 10.0.1.50/8
  - PC : 10.0.1.1 => Access WAN down
    Gateway : 10.0.1.50
    Dns Server = 10.0.0.50

WAN : 192.168.0.5/24


I have created a rule like the lan rule for the WAN:

DMZ rules  :

*  DMZ net  *  *  *  *        (Access to WAN)

UDP  DMZ net  *  10.0.0.50  53 (DNS)  *      (Access to DNS server in LAN)

but the access to WAN since DMZ is always down, i have read the docs monowall but it's the same problem.

Thanks for your help
« Last Edit: April 18, 2008, 04:51:40 am by jordan49 »

Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5061
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Re: Access DMZ to WAN
« Reply #1 on: April 18, 2008, 06:46:55 am »
LAN : 10.0.0.50/8
DMZ : 10.0.1.50/8

The same subnet on two interfaces wont work.
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline jordan49

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: Access DMZ to WAN
« Reply #2 on: April 18, 2008, 07:05:21 am »
Ok, now the subnet of DMZ is /16 but access to WAN doesn't work...
   -PC :
Ip adress : 10.0.1.1
Subnet : 255.255.0.0
Gateway : 10.0.1.50
DNS : 10.0.0.50

Interface DMZ in Pfsense :
10.0.1.50/16

« Last Edit: April 18, 2008, 07:15:01 am by jordan49 »

Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5061
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Re: Access DMZ to WAN
« Reply #3 on: April 18, 2008, 07:42:42 am »
I suggest you start reading on wikipedia how subnetting works.
10.0.0.0/16 is still the same subnet as 10.0.1.0/16
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline jordan49

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: Access DMZ to WAN
« Reply #4 on: April 18, 2008, 08:02:41 am »
I don't understand because in the monowall documentation http://doc.m0n0.ch/handbook/examples.html#id11622455 Lan ip address is : 192.168.1.1/24 and Dmz ip adress :192.168.2.1/24, the subnet is the same...

Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5061
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Re: Access DMZ to WAN
« Reply #5 on: April 18, 2008, 08:14:31 am »
192.168.1.1/24 and 192.168.2.1/24 are two different subnets!

You seem to missinterpretate the "/number"
192.168.0.0/24 is equal to 192.168.0.0 to 192.168.0.255
192.168.1.0/24 is equal to 192.168.1.0 to 192.168.1.255

10.0.0.0/8 is equal to 10.0.0.0 to 10.255.255.255
10.0.0.0/16 is equal to 10.0.0.0 to 10.0.255.255

The number in CIDR notation behind the / is how many bits are for the "network" identification.
The rest of the bits (32 - number behind /) are the bits for the addressing within the subnet.

So really read a bit on your own how the basics work.
http://en.wikipedia.org/wiki/Subnetwork
http://en.wikipedia.org/wiki/CIDR
« Last Edit: April 18, 2008, 10:04:53 am by GruensFroeschli »
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline jordan49

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: Access DMZ to WAN
« Reply #6 on: April 18, 2008, 09:26:32 am »
Ok, so now my Dmz ip address is : 10.1.0.50/16 (network : 10.1.0.0)
                     Lan ip address is : 10.0.0.50/8   (network : 10.0.0.0)


I don't have an access to WAN...

Offline jordan49

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: Access DMZ to WAN
« Reply #7 on: April 18, 2008, 09:39:12 am »
I take the dns adress of my freebox and the wan is now ok since my dmz...

Thank you GruensFroeschli

Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5061
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Re: Access DMZ to WAN
« Reply #8 on: April 18, 2008, 09:41:56 am »
Your addresses are still conflicting

10.0.0.50/8
is 10.0.0.0 up to 10.255.255.255

which contains

10.1.0.50/16
which is 10.1.0.0 to 10.1.255.255

Just set your first subnet to /16 too and it should work.
-->
10.0.0.0/16
10.1.0.0/16
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline jordan49

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: Access DMZ to WAN
« Reply #9 on: April 18, 2008, 10:06:22 am »
Ok ty for the tip, i have a new problem ^^, in my dmz i have a apache server on port 80 but is it inacessible from the wan.
10.1.0.1 is the server ip address.

In Firewall: NAT: 1:1 i have the rule :

Interface External IP Internal IP Description   
 WAN  192.168.0.10/32  10.1.0.1/32  www   

And in port forwad :
 If Proto Ext. port range NAT IP Int. port
WAN     TCP     80   (HTTP)    10.1.0.1      80 (HTTP)
                                        (ext.: 192.168.0.5)

But when i want to connect to 192.168.0.10 it's down.


Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5061
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Re: Access DMZ to WAN
« Reply #10 on: April 18, 2008, 10:24:52 am »
You dont use 1:1 NAT and normal forwardings.
One or the other.

In your forwarding rule you have as ext: 192.168.0.5.
Are you sure that your WAN interface is 192.168.0.10 and not 192.168.0.5?
Also if you want to forward port 80 of your WAN, make sure that you change the webgui to something else.
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline jahonix

  • Hero Member
  • *****
  • Posts: 845
    • View Profile
Re: Access DMZ to WAN
« Reply #11 on: April 18, 2008, 10:35:46 am »
If WAN is on a private subnet (like 192.168. is) you have to disable 'block private subnets' as well.
What's in front of your WAN anyway?
Chris


Theoretically, theory and practis should be the same.
Practically they aren't.

Offline jordan49

  • Newbie
  • *
  • Posts: 12
    • View Profile
Re: Access DMZ to WAN
« Reply #12 on: April 18, 2008, 12:32:50 pm »
this work perfectly thank a lot of !