OPNsense Forum

English Forums => General Discussion => Topic started by: klausneil on May 16, 2016, 01:17:12 am

Title: (solved) Opnsense DMZ
Post by: klausneil on May 16, 2016, 01:17:12 am: Hi, i need configure my opnsense by allow access from the LAN to my DNS Server that is in my DMZ, please anybody tell me how make this or documentation or link. Please help me.
Title: Re: Opnsense DMZ
Post by: fabian on May 16, 2016, 10:52:25 am: you need a pass rule
=> from: your lan network
=> destination: ip of your dns server
=> destination port: 53
=> protocol: udp using IPv4/IPv6
Title: Re: Opnsense DMZ
Post by: klausneil on May 18, 2016, 01:57:25 am: Thanks fabian, but i try this rule but not connect, my schema is this

internet(190.21.22.12)----router(192.168.1.1)----eth0(192.168.1.2)----opnsense----eth1(192.168.15.1)----LAN PCs (192.168.15.0/24)
I___eth2 (192.168.10.1) ---- DMZ (192.168.10.0/24)
I__MAIL(192.168.10.13)
I__DNS(192.168.10.3)

By default my network is pointing to dns server of the opnsense but how i can connect from my LAN net to the DNS that is in my DMZ.
Title: Re: Opnsense DMZ
Post by: fabian on May 18, 2016, 08:34:00 am: If you want to use it as a recursive resolver for your clients, you probably want to configure it in the DHCP settings.
Title: Re: Opnsense DMZ
Post by: klausneil on May 19, 2016, 06:33:20 am: Hi my configuraton in my client winxp is this

ip: 192.168.15.27
netmask: 255.255.255.0
gateway: 192.168.15.1
dns: 192.168.10.3

And my rule is this image. but i not connect to internet, i can make ping to 192.168.10.3 from winxp and the log say that the machine is allow to dns, why this?
Title: Re: Opnsense DMZ
Post by: franco on May 19, 2016, 08:15:02 am: Can you check your DNS server logs, specifically whether your XP machine queries can reach it?
Title: Re: Opnsense DMZ
Post by: klausneil on May 20, 2016, 01:52:56 am: Well i try navigate to google.com and eset.com but this not work and the log is the imagen and say:

May 19 18:43:00 bind named[1835]: client 192.168.15.29#1025 (www.eset.com.com): query (cache) 'www.eset.com.com/A/IN' denied
Title: Re: Opnsense DMZ
Post by: franco on May 20, 2016, 07:26:47 pm: In this case... bind config is missing an ACL entry for your subnet 192.168.15.0/24. It refuses to answer your queries ;)
Title: Re: Opnsense DMZ
Post by: klausneil on May 21, 2016, 12:41:50 am: Thanks franco, you're right but you can help me? i try configure in named.conf but nothing
Title: Re: Opnsense DMZ
Post by: fabian on May 21, 2016, 11:52:22 am: can you try to add this to your configuration:
allow-query { 192.168.15.0/24; };
Title: Re: Opnsense DMZ
Post by: klausneil on May 21, 2016, 08:42:28 pm: Thanks fabian by your help but i try insert the line in my configuration named.conf.options img 01 but i try access to google.com but not work.
Title: Re: Opnsense DMZ
Post by: klausneil on May 21, 2016, 08:48:58 pm: This is the other image.
Title: Re: Opnsense DMZ
Post by: fabian on May 21, 2016, 10:47:16 pm: can you try to change the next two directives too?
Title: Re: Opnsense DMZ
Post by: klausneil on May 23, 2016, 10:18:38 pm: fabian, thank you so much, this work. thanks bro.
Title: Re: Opnsense DMZ
Post by: klausneil on May 24, 2016, 11:38:30 pm: fabian, i supress this 2 line and work for my LAN but my DMZ not work, when try navigate or install a application example on linux server on dmz this not work, i try configure in allow-query {any;}; but this not solved
Title: Re: Opnsense DMZ
Post by: fabian on May 25, 2016, 10:58:32 am: maybe you have a wrong value in /etc/resolv.conf
Title: Re: Opnsense DMZ
Post by: klausneil on May 26, 2016, 12:29:55 am: Hi fabian,i reset my server and this work. Thanks