OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion (Moderator: fabian) »
  • (solved) Opnsense DMZ
« previous next »
  • Print
Pages: [1] 2

Author Topic: (solved) Opnsense DMZ  (Read 4780 times)

klausneil

  • Jr. Member
  • **
  • Posts: 70
  • Karma: 4
    • View Profile
(solved) Opnsense DMZ
« on: May 16, 2016, 01:17:12 am »
Hi, i need configure my opnsense by allow access from the LAN to my DNS Server that is in my DMZ, please anybody tell me how make this or documentation or link. Please help me.
« Last Edit: May 26, 2016, 03:45:43 am by klausneil »
Logged

fabian

  • Moderator
  • Hero Member
  • *****
  • Posts: 2041
  • Karma: 154
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Opnsense DMZ
« Reply #1 on: May 16, 2016, 10:52:25 am »
you need a pass rule
 => from: your lan network
=> destination: ip of your dns server
=> destination port: 53
=> protocol: udp using IPv4/IPv6
Logged

klausneil

  • Jr. Member
  • **
  • Posts: 70
  • Karma: 4
    • View Profile
Re: Opnsense DMZ
« Reply #2 on: May 18, 2016, 01:57:25 am »
Thanks fabian, but i try this rule but not connect, my schema is this

internet(190.21.22.12)----router(192.168.1.1)----eth0(192.168.1.2)----opnsense----eth1(192.168.15.1)----LAN PCs (192.168.15.0/24)
                                                                                                                                           I___eth2 (192.168.10.1) ---- DMZ (192.168.10.0/24)
                                                                                                                                                                                                 I__MAIL(192.168.10.13)
                                                                                                                                                                                                 I__DNS(192.168.10.3)

By default my network is pointing to dns server of the opnsense but how i can connect from my LAN net to the DNS that is in my DMZ.
Logged

fabian

  • Moderator
  • Hero Member
  • *****
  • Posts: 2041
  • Karma: 154
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Opnsense DMZ
« Reply #3 on: May 18, 2016, 08:34:00 am »
If you want to use it as a recursive resolver for your clients, you probably want to configure it in the DHCP settings.
Logged

klausneil

  • Jr. Member
  • **
  • Posts: 70
  • Karma: 4
    • View Profile
Re: Opnsense DMZ
« Reply #4 on: May 19, 2016, 06:33:20 am »
Hi my configuraton in my client winxp is this

ip:              192.168.15.27
netmask:    255.255.255.0
gateway:    192.168.15.1
dns:           192.168.10.3

And my rule is this image. but i not connect to internet, i can make ping to 192.168.10.3 from winxp and the log say that the machine is allow to dns, why this?
« Last Edit: May 19, 2016, 06:44:54 am by klausneil »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 9035
  • Karma: 618
    • View Profile
Re: Opnsense DMZ
« Reply #5 on: May 19, 2016, 08:15:02 am »
Can you check your DNS server logs, specifically whether your XP machine queries can reach it?
Logged

klausneil

  • Jr. Member
  • **
  • Posts: 70
  • Karma: 4
    • View Profile
Re: Opnsense DMZ
« Reply #6 on: May 20, 2016, 01:52:56 am »
Well i try navigate to google.com and eset.com but this not work and the log is the imagen and say:

May 19 18:43:00 bind named[1835]: client 192.168.15.29#1025 (www.eset.com.com): query (cache) 'www.eset.com.com/A/IN' denied
« Last Edit: May 26, 2016, 03:27:06 am by klausneil »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 9035
  • Karma: 618
    • View Profile
Re: Opnsense DMZ
« Reply #7 on: May 20, 2016, 07:26:47 pm »
In this case... bind config is missing an ACL entry for your subnet 192.168.15.0/24. It refuses to answer your queries ;)
Logged

klausneil

  • Jr. Member
  • **
  • Posts: 70
  • Karma: 4
    • View Profile
Re: Opnsense DMZ
« Reply #8 on: May 21, 2016, 12:41:50 am »
Thanks franco, you're right but you can help me? i try configure in named.conf but nothing
Logged

fabian

  • Moderator
  • Hero Member
  • *****
  • Posts: 2041
  • Karma: 154
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Opnsense DMZ
« Reply #9 on: May 21, 2016, 11:52:22 am »
can you try to add this to your configuration:
allow-query { 192.168.15.0/24; };
Logged

klausneil

  • Jr. Member
  • **
  • Posts: 70
  • Karma: 4
    • View Profile
Re: Opnsense DMZ
« Reply #10 on: May 21, 2016, 08:42:28 pm »
Thanks fabian by your help but i try insert the line in my configuration named.conf.options img 01 but i try access to google.com but not work.
Logged

klausneil

  • Jr. Member
  • **
  • Posts: 70
  • Karma: 4
    • View Profile
Re: Opnsense DMZ
« Reply #11 on: May 21, 2016, 08:48:58 pm »
This is the other image.
Logged

fabian

  • Moderator
  • Hero Member
  • *****
  • Posts: 2041
  • Karma: 154
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Opnsense DMZ
« Reply #12 on: May 21, 2016, 10:47:16 pm »
can you try to change the next two directives too?
Logged

klausneil

  • Jr. Member
  • **
  • Posts: 70
  • Karma: 4
    • View Profile
Re: Opnsense DMZ
« Reply #13 on: May 23, 2016, 10:18:38 pm »
fabian, thank you so much, this work. thanks bro.
Logged

klausneil

  • Jr. Member
  • **
  • Posts: 70
  • Karma: 4
    • View Profile
Re: Opnsense DMZ
« Reply #14 on: May 24, 2016, 11:38:30 pm »
fabian, i supress this 2 line and work for my LAN but my DMZ not work, when try navigate or install a application example on linux server on dmz this not work, i try configure in allow-query {any;}; but this not solved
Logged

  • Print
Pages: [1] 2
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion (Moderator: fabian) »
  • (solved) Opnsense DMZ
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2019 All rights reserved
  • SMF 2.0.15 | SMF © 2017, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2