can not reach outside from DMZ

Forum|Forum|9 years ago
June 17, 2016
2 replies
8215 views

fortigate80, NAT

everything works fine, except DMZ.

what I done:

set up VIP.

configure DMZ interface as different subnet from Internal subnet.

set up firewall policy between DMZ <=> Internal , Internal => WAN, and DMZ <=> WAN.

in DMZ subnet, no DHCP, no DNS. the linux workstation in DMZ has static IP and publice DNS address info.

communication between DMZ and Internal has no problem. Internal can communicate to WAN. the workstation in DMZ can be reached from internet( WAN) through VIP. but DMZ can NOT get to internet.

the static route looks ok, otherwise Internal can not communicate to WAN, but DMZ still can not be routed to internet. After I put a policy route for “incoming interface" is DMZ, then DMZ can go through internet.

My understanding is that "policy route" should be unnecessary, am I right? or I did something wrong.

Thanks for any directing.

Jun

ede_pfau

SuperUser

hi,

and welcome to the forums.

My first idea was that there is no (correct) default route on the DMZ host. But in this case traffic from WAN to DMZ host wouldn't work. Can you confirm that?

rwpatterson

New Member

Also often overlooked is to use the NAT check box on any interface that is passing traffic to the public Internet.

jpplante

New Member

Sounds like you may have a NAT issue. Make sure you setup NAT for DMZ traffic out.

Also just a side note are you really sure you want to setup full two way traffic between DMZ and LAN? Technically that is doing nothing to protect your LAN from the computer in the DMZ. To make matters worse you have opened your DMZ to WAN. According to the detail unless of course I am reading it wrong you are allowing a would be attacker to use the DMZ as a hop directly into your LAN.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded