dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1286

atuarre
Here come the drums
Premium Member
join:2004-02-14
EC/SETX SWLA

atuarre

Premium Member

DMZ and Pfsense Question

Do you actually need to have a physical interface (network card) to setup DMZ on Pfsense? I have 3 cards now. 2 for the cable modems, 1 that goes to the LAN. I tried to set it up and it is killing DHCP. If you do actually have to have a physical interface card I will have to order a dual nic card from amazon as there are no more free slots available in the machine i have running pfsense

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

2 recommendations

Brano

MVM

You can put DMZ (and LAN) on VLAN, but your have to have VLAN capable switch on the LAN port to be able to assign LAN and DMZ to separate ports.

atuarre
Here come the drums
Premium Member
join:2004-02-14
EC/SETX SWLA

atuarre

Premium Member

i went ahead and ordered the dual card. Pfsense is messing with some sip stuff. Won't let the phones communicate with the servers and it'll just be easier to put the phones on a dmz.
atuarre

atuarre

Premium Member

It's a nightmare dealing with sometimes. Some things just don't work. Be very happy when that card arrives.
atuarre

atuarre

Premium Member

When I enable the interface on the DMZ, the dhcp server stops. Why is that? The interface that DMZ is supposed to be on is given a static ip address.

If I disable the DMZ interface, the dhcp server starts back up.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

You should be able to enable/disable the DHCP server on an interface by interface basis.

atuarre
Here come the drums
Premium Member
join:2004-02-14
EC/SETX SWLA

atuarre

Premium Member

Yes, I go to Service, then DHCP Server, and the DMZ tab shows up following the LAN tab. I click Enable DHCP Server on DMZ interface. When I do this. the dhcp service stops. I check that under status Services. If I disable DHCP server on DMZ interface, the service starts right back up.
atuarre

atuarre

Premium Member

For whatever reason, Pfsense doesn't like one of the nic cards (they are the same brand of Intel card). I just moved the DMZ to the third card and it worked fine. Could the nic card be bad? All the cards are labeled em0, em1, etc, except this card, which comes up as fwip0. I thought it was kind of odd but did not think much about it. Also, had used both of these cards for dual wan with no trouble. Maybe it is just a fluke?

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

That's weird. Sure you are reading things correctly? fwip is the driver for IP over IEEE1394. Do you have a 1394 firewire port on the box?

atuarre
Here come the drums
Premium Member
join:2004-02-14
EC/SETX SWLA

atuarre

Premium Member

Okay. After checking further. for whatever reason, when I set the ports up, it assigned that interface to that for whatever reason. i did check the assign area though and i found an em3 and changed it to that and tested it and it works. But I went ahead and did a clean install after I installed the new interface card and let it detect each one after link up and i swear that is what it assigned the interface to, fwip. Any, it's all sorted now Would have never sorted it if you didn't mention that.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf

MVM

You may want to disable unused devices in BIOS. That way they don't appear where you can misconfigure with them.

atuarre
Here come the drums
Premium Member
join:2004-02-14
EC/SETX SWLA

atuarre

Premium Member

Will definitely do that. Hopefully now my sip devices will be able to connect to the remote server. That was the point of setting up DMZ, because pfsense isn't allowing certain things through and I have not been able to get it resolved. Next, I'll get a managed switch and do the vlan thing.

XCOM
digitalnUll
Premium Member
join:2002-06-10
Spring, TX
(Software) pfSense
MikroTik CRS125-24G-1S-RM

XCOM

Premium Member

said by atuarre:

Will definitely do that. Hopefully now my sip devices will be able to connect to the remote server. That was the point of setting up DMZ, because pfsense isn't allowing certain things through and I have not been able to get it resolved. Next, I'll get a managed switch and do the vlan thing.

That's the wrong approach to your issue if you cant figure it out.
Putting anything "sip" related on DMZ if not done right is a recipe for disaster...

Have you tried the pfsense forum?

I am using pfsense and all of my asterisk server work just fine.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

2 recommendations

graysonf

MVM

You, and the OP probably both misunderstand the concept of DMZ in pfsense. It's a third, isolated from the LAN interface, and is NOT wide open to everything.

XCOM
digitalnUll
Premium Member
join:2002-06-10
Spring, TX
(Software) pfSense
MikroTik CRS125-24G-1S-RM

XCOM

Premium Member

said by graysonf:

You, and the OP probably both misunderstand the concept of DMZ in pfsense. It's a third, isolated from the LAN interface, and is NOT wide open to everything.

Read my post carefully.
I stated "if not done right"

I understand exactly how it works.

atuarre
Here come the drums
Premium Member
join:2004-02-14
EC/SETX SWLA

atuarre to XCOM

Premium Member

to XCOM
It solved my issue with the SIP devices so I think it did exactly what I wanted it to do.

rchandra
Stargate Universe fan
Premium Member
join:2000-11-09
14225-2105

1 recommendation

rchandra to atuarre

Premium Member

to atuarre
I predict the sooner IPv6 is widely deployed, most of this sort of nonsense will go away. I think a large part of the difficulties with SIP (or RTP, or their secure counterparts) are due to NAT. With IPv6, NAT goes away.

atuarre
Here come the drums
Premium Member
join:2004-02-14
EC/SETX SWLA

1 recommendation

atuarre

Premium Member

Will not hold on my breath on the wide deployment of IPv6.