On Thu, Mar 13, 2008 at 3:16 AM, Angelo Turetta <
[EMAIL PROTECTED]> wrote:
> joseph blase wrote:
> > Now all traffic I allowed from LAN to DMZ are working and vice-versa as
> > well as {LAN,DMZ} going out thru WAN int. The issue now is user from
> > outside(internet users) are not able to access the services/ports that I
> > serve on my DMZ server, I created a firewall rule on WAN to allow
> > traffic from any to DMZ Subnet to specific ports to no avail. Anything
> > that needs to be done?
>
> If you are sure the filter rule on the WAN is OK, you may have one (or
> both) of these two problems:
>
> - you have not enabled 'advanced outbound NAT'. Now probably the packets
> from the DMZ hosts are being NAT-ed, and this is why connections
> initiated by the DMZ hosts can reach the Internet, but not vice-versa.
>
Looking at the dump from dmz interface, host from dmz to outside seems it
not being NAT-ed right?
<snipped>
13:07:24.114224 IP outside_host.domain.com.ssh > dmzhost.domain.com.32884: .
ack 1103 win 76 <nop,nop,timestamp 14686432 339481418>
13:07:24.130039 IP outside_host.domain.com.ssh > dmzhost.domain.com.32884: P
1720:1752(32) ack 1103 win 76 <nop,nop,timestamp 14686432 339481418>
13:07:24.130190 IP dmzhost.domain.com.32884 > outside_host.domain.com.ssh: .
ack 1752 win 2172 <nop,nop,timestamp 339481686 14686432>
13:07:24.130798 IP dmzhost.domain.com.32884 > outside_host.domain.com.ssh: P
1103:1167(64) ack 1752 win 2172 <nop,nop,timestamp 339481687 14686432>
13:07:24.252722 IP 10.110.18.6.2163 > dmzhost.domain.com.ssh: . ack 40349
win 15160
<< snipped >>
>
> - wrong routing on the upstream router (doesn't forward packets for
> 207.230.228.X/24 to your pfSense)
this one I think is the culprit though I can't be sure yet, trying to ssh
from outside to host inside dmz don't give any indication of packets basing
on tcpdump at WAN interface.
>
> Logging-in to your pfSense with SSH, and comparing the output of the
> following commands during your tests:
>
> tcpdump -i <name_of_WAN_interface>
> tcpdump -i <name_of_DMZ_interface>
>
> might be enlightening
>From the pasted output can I be sure that my DMZ IP's are not being NAT-ed?
If yes, then might problem might be that all routes going to that subnet are
still being forward to my existing ipfw box.
>
> Angelo.
Thank you for enlightening answer.
--joseph
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
