PfSense put a computer in the DMZ ??

[Fritz]

Apparently this is way m ore complicated in PfSense than in a standard router. I've googled till I'm blue in the face and can't find anything.

Anybody got a link and/or advise on how to proceed?

TIA

 

[kapone]

In pfSense terms, a DMZ is nothing but an isolated interface/VLAN that has connectivity only to the WAN. There's no connectivity between that interface and any other interface (except WAN). Then you port forward to hosts in that network to your heart's content.

Typically in the firewall rules for that interface you have a bare minimum, e.g. ICMP response and DNS. The port forwarding is on the WAN interface.

 

[Fritz]

Ah, thanks. The box in question runs my security cams via Blue Iris. It has 2 NIC's. One for internet and the other for the cams. The cams are on a separate sub net at present that has no gateway/DNS Server. I'm trying to get HTTPS to work with BI and have hit a stone wall. I'm thinking maybe PfSense isn't allowing HTTPS because the box isn't in a DMZ. I could be wrong but don't don't knows what else the problem could be.

Thanks

 

[kapone]

https should have nothing to do with a DMZ. Make sure your default pfSense web configurator is not configured for port 443... That will make https port forward not work.

Edit: You're trying to get https to work on the NIC in your BL machine, that's connected to the internet, right?

 

[Fritz]

https should have nothing to do with a DMZ. Make sure your default pfSense web configurator is not configured for port 443... That will make https port forward not work.

Edit: You're trying to get https to work on the NIC in your BL machine, that's connected to the internet, right?

Yep.

I changed the web configurator to another port using the instructions here and still no joy - How to change the remote access port for pfSense - WP Computer Solutions

Is the web configurator the web page of the PfSense box or is it something else?

 

[kapone]

Show me a screenshot of your WAN interface rules.

 

[Fritz]

 

[BoredSysadmin]

 

[Fritz]

Thanks.

kapone says DMZ has nothing to do with HTTPS working. Can you look at the above WAN rules and see if there are ny errors?

TIA

 

[ArmedAviator]

Also show your Port Forwarding rules.

 

[Fritz]

 

[kapone]

@Fritz - Sorry, was busy with the kids. Do me a favor, show a screenshot of your 1:1 NAT as fellas Outbound, please.

That said, I don't see a port forward for port 443 (https) anywhere. Am I missing something?

 

[Fritz]

Nope, I'm the one missing something. I thought I was supposed to change to port to something other than 443 so I did. Changed it to 9990.

1:1 NAT is empty.

Just changed it back to 443. Not sure I know what 1:1 NAT is, sorry.

 

[Fritz]

Bump

 

[itronin]

Nope, I'm the one missing something. I thought I was supposed to change to port to something other than 443 so I did. Changed it to 9990.

1:1 NAT is empty.

Just changed it back to 443. Not sure I know what 1:1 NAT is, sorry.

@Fritz

1:1 NAT is 1:1 Network Address Translation.

A pretty common deployment for PFSense ipv4 might be:

Public facing interface (untrusted, uses Public IP addresses, we'll call this Subnet U, /29 in size)
DMZ facing interface (untrusted, uses Private IP addresses, we'll call this Subnet D, /24 in size)
Private facing interface (trusted, uses Private IP addresses, we'll call this Subnet T, /24 in size)

with such a configuration you would use 1:1 NAT to assgin an IP address from the Subnet U IP block to an IP address in Subnet D. You still need rules to decide what ports may be passed through to your DMZ host.

ie. 123.4.5.6 -> 192.168.10.100
(public IP is ONLY an example I pulled out of the ether.)

Most likely this 1:1 NAT is also configured as transitive so that traffic coming from 192.168.10.100 becomes 123.4.5.6 when it passed through the public facing interface to the outside world.

Using 1:1 NAT implies that your ISP has given you a static IP block of public addresses and at a guess they'd probably have assigned you a /29 block that in my experience being the most common sized assigned by ISP's that requires only a little bit of justification.

If you only have a /32 static public IP or actually have a dynamically assigned public IP to your public facing interface then what we're really looking at is port forwarding to a host in the DMZ.

it would be helpful to know the following ipv4 information:
the last octet (host/network) and the size of Subnet U
the last network portion octet and size of Subnet D - guessing 192.168.10.0/24 or 192.168.10.0 255.255.255.0
the last network portion octet and size of Subnet T

It would be helpful to know the following pfSense interface IP's

Subnet U host portion IP address
Subnet D interface IP address
Subnet T interface IP address

by only asking for the last octet I'm trying to maintain a level of privacy so you don't feel like I'm asking for super secret information.

If you don't know the size then you can provide the netmask and we can calculate the size.

 

[Fritz]

@Fritz

1:1 NAT is 1:1 Network Address Translation.

A pretty common deployment for PFSense ipv4 might be:

Public facing interface (untrusted, uses Public IP addresses, we'll call this Subnet U, /29 in size)
DMZ facing interface (untrusted, uses Private IP addresses, we'll call this Subnet D, /24 in size)
Private facing interface (trusted, uses Private IP addresses, we'll call this Subnet T, /24 in size)

with such a configuration you would use 1:1 NAT to assgin an IP address from the Subnet U IP block to an IP address in Subnet D. You still need rules to decide what ports may be passed through to your DMZ host.

ie. 123.4.5.6 -> 192.168.10.100
(public IP is ONLY an example I pulled out of the ether.)

Most likely this 1:1 NAT is also configured as transitive so that traffic coming from 192.168.10.100 becomes 123.4.5.6 when it passed through the public facing interface to the outside world.

Using 1:1 NAT implies that your ISP has given you a static IP block of public addresses and at a guess they'd probably have assigned you a /29 block that in my experience being the most common sized assigned by ISP's that requires only a little bit of justification.

If you only have a /32 static public IP or actually have a dynamically assigned public IP to your public facing interface then what we're really looking at is port forwarding to a host in the DMZ.

it would be helpful to know the following ipv4 information:
the last octet (host/network) and the size of Subnet U
the last network portion octet and size of Subnet D - guessing 192.168.10.0/24 or 192.168.10.0 255.255.255.0
the last network portion octet and size of Subnet T

It would be helpful to know the following pfSense interface IP's

Subnet U host portion IP address
Subnet D interface IP address
Subnet T interface IP address

by only asking for the last octet I'm trying to maintain a level of privacy so you don't feel like I'm asking for super secret information.

If you don't know the size then you can provide the netmask and we can calculate the size.

Thanks for this very detailed explanation. Think I've determined that it isn't a DMZ I need, I wrongly assumed it did but according to an earlier post, DMZ has nothing to do with my problem. Problem is PfSense isn't forwarding https port 443 to 192.168.10.100. I get "Unable to reach server" when I attempt to connect from my phone from the outside and "The Server is taking too long to respond" when I try to connect from another computer on the inside.

http works fine tho.

 

[itronin]

Thanks for this very detailed explanation. Think I've determined that it isn't a DMZ I need, I wrongly assumed it did but according to an earlier post, DMZ has nothing to do with my problem. Problem is PfSense isn't forwarding https port 443 to 192.168.10.100. I get "Unable to reach server" when I attempt to connect from my phone from the outside and "The Server is taking too long to respond" when I try to connect from another computer on the inside.

http works fine tho.

I wondered if that might be the case... and I apologize if this is a stupid question but...

when you had the 9990 port forward rule in place were you trying the following IP address:

https://mypublicip/

or did you try

https://mypublicip:9990/

 

[itronin]

Thanks for this very detailed explanation. Think I've determined that it isn't a DMZ I need, I wrongly assumed it did but according to an earlier post, DMZ has nothing to do with my problem. Problem is PfSense isn't forwarding https port 443 to 192.168.10.100. I get "Unable to reach server" when I attempt to connect from my phone from the outside and "The Server is taking too long to respond" when I try to connect from another computer on the inside.

http works fine tho.

sorry another dumb question:

Does your phone have access to BI from inside your local network?

What ports are configured for BI on your BI "server"?

 

[Fritz]

Kapone said above to make sure the PfSense web configurator wasn't using port 443. I misunderstood and briefly changed the https port to 9990 and then changed it back to 443. Never checked anything.

 

[itronin]

Kapone said above to make sure the PfSense web configurator wasn't using port 443. I misunderstood and briefly changed the https port to 9990 and then changed it back to 443. Never checked anything.

k. so back to my dumb question:

Does your phone have access to BI from inside your local network (ie. vi internal WiFi)?

I just want to check and see if we are troubleshooting an issue or multiple issues.

what is your current port forward rule for BI?

somethign like WAN TCP * * WAN Address 443 192.168.10.100 443 ???