This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Gnarly prob -> DNAT on DMZ with External using DHCP?

On ASL 1.957

I cannot get the webserver to work using DNAT with the following config:

Webserver 192.168.3.50 255.255.255.255
DMZ       192.168.3.0  255.255.255.0
External  192.168.2.0  255.255.255.0
Internal  192.168.1.0  255.255.255.0

The external IP actually comes from DHCP and is public IP from my ISP.

Packet Filter:

Internal  Any   Any       Allow
DMZ       HTTP  Any       Allow
DMZ       DNS   Any       Allow
DMZ       HTTPS Any       Allow
Any       HTTP  Webserver Allow

Masquerading:

DMZ    -> Extern
Intern -> Extern

DNAT:

Extern HTTP Webserver HTTP

Am I missing something here? From what I have read on the boards this seems like it should work. The only thing that I can think of is that perhaps I am having a prob because of the DHCP. Can someone point out what may be wrong here? Thanks.

This thread was automatically locked due to age.

Parents

0 STICF over 24 years ago

Just a quick question? Where is the computer that you are using to test connectivity to your web server? Inside or outside of the FW?

STICF
Cancel
Vote Up 0 Vote Down

Cancel
0 BurbankGeek over 24 years ago in reply to STICF

The one that I am trying to connect from is on the Internal subnet.
Cancel
Vote Up 0 Vote Down

Cancel
0 giallu over 24 years ago in reply to BurbankGeek

Maybe you haven't set a route from internal to DMZ?? in that case packtes are allowed to traverse the firewall to/from DMZ, since it seems you have a good setup for it, but they dont' know where to go where they reach eth0 on the firewall.

greets
Cancel
Vote Up 0 Vote Down

Cancel
0 BurbankGeek over 24 years ago in reply to giallu

Thanks. I will try it when I get home. It turns out that every time I make a change to the Firewall (routing, DNAT, Definitions etc.) I have to restart the DHCPCD. So when I tried to change it remotely... OOF! That gets old quick. Anyone know of a way to get around that?
Cancel
Vote Up 0 Vote Down

Cancel
0 BurbankGeek over 24 years ago in reply to BurbankGeek

No dice. It didnt work. Can anyone give a general idea of what the routing table for the above config should look like? Is it possible that the DHCP assigned address for the External Network is what may be causing the problem?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BurbankGeek over 24 years ago in reply to BurbankGeek

No dice. It didnt work. Can anyone give a general idea of what the routing table for the above config should look like? Is it possible that the DHCP assigned address for the External Network is what may be causing the problem?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 lanman over 22 years ago in reply to BurbankGeek

Csan you ping fromn the DMZ to the LAN. can you get to the web server using the IP address and not a DNS name.

Try creating a rule DMZ Internal ANY Allow. This will allow traffic to return to the internal lan.

Also if you ever plan on getting to this web server from the Internet it will not work as 192.168.x.x/24 is a non routable address space. Your ISP has a firewall if this is the assigned address.
Cancel
Vote Up 0 Vote Down

Cancel