1
23.7 Legacy Series / Re: Internet problem in DMZ
« on: February 12, 2024, 11:19:20 pm »
Okay, maybe I asked too many questions, and maybe someone can tell me why the Internet is blocked when NAT is turned on. 
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
23.7 Legacy Series / Re: Internet problem in DMZ
« on: February 11, 2024, 06:07:11 pm »
Correction: please give easy explanations.
3
23.7 Legacy Series / Internet problem in DMZ
« on: February 11, 2024, 05:56:59 pm »
Hello to all OPNsense enthusiasts. 
I would like to inform you right away that I am a beginner and I don't have much experience in OPNsense, so I would like to ask for help and explain it like a child.
So: I have OPNsense 23.7 installed, which I updated to OPNsense 23.7.12_5-amd64.
I created a DMZ following this description: https://getlabsdone.com/how-to-configure-opnsense-dmz-step-by-step/
1. On the opt3 interface I have a DMZ with the address 172.16.0.1
2. I have DHCP enabled in the service and a tangential IP address for DMZ is assigned 172.16.0.100;
3. I have rules configured on the DMZ and on the WAN as described;
And something strange happens: I run one-to-one in Firewall in NAT, and I immediately have access to the Internet cut off on the Apache server in the DMZ zone. Even the rule installed on Firewall -> Rules -> DMZ, which is supposed to enable Internet access, does not help. ;-)
However, after disabling one-to-one NAT in the DMZ, the Internet is available in the DMZ, even if the rule on the WAN interface is disabled.
My questions:
1. What is this one-on-one NAT all about, why does it block Internet access on the DMZ;
2. Why does the rule in the DMZ not unblock Internet access;
3. Why is there the so-called virtual IP and what address should I enter there:
private address, e.g. 192.168.1.100, or rather a public IP address e.g. 37.52.130.155 ;
4. Why is an ICMP rule needed on a DMZ gateway?
Of the above questions, the most important is: why does one-to-one NAT block Internet access? Although in Ubuntu (where the Apache http server is installed) I see the assigned network address 172.16.0.100, which was assigned by the DHCP server on the DMZ interface.
Best regards and please provide pathological explanations.
I would like to inform you right away that I am a beginner and I don't have much experience in OPNsense, so I would like to ask for help and explain it like a child.
So: I have OPNsense 23.7 installed, which I updated to OPNsense 23.7.12_5-amd64.
I created a DMZ following this description: https://getlabsdone.com/how-to-configure-opnsense-dmz-step-by-step/
1. On the opt3 interface I have a DMZ with the address 172.16.0.1
2. I have DHCP enabled in the service and a tangential IP address for DMZ is assigned 172.16.0.100;
3. I have rules configured on the DMZ and on the WAN as described;
And something strange happens: I run one-to-one in Firewall in NAT, and I immediately have access to the Internet cut off on the Apache server in the DMZ zone. Even the rule installed on Firewall -> Rules -> DMZ, which is supposed to enable Internet access, does not help. ;-)
However, after disabling one-to-one NAT in the DMZ, the Internet is available in the DMZ, even if the rule on the WAN interface is disabled.
My questions:
1. What is this one-on-one NAT all about, why does it block Internet access on the DMZ;
2. Why does the rule in the DMZ not unblock Internet access;
3. Why is there the so-called virtual IP and what address should I enter there:
private address, e.g. 192.168.1.100, or rather a public IP address e.g. 37.52.130.155 ;
4. Why is an ICMP rule needed on a DMZ gateway?
Of the above questions, the most important is: why does one-to-one NAT block Internet access? Although in Ubuntu (where the Apache http server is installed) I see the assigned network address 172.16.0.100, which was assigned by the DHCP server on the DMZ interface.
Best regards and please provide pathological explanations.
Pages: [1]