No internal connections with location blocking to DMZ enabled

firewire · 26 August 2024 10:32

Hi there, I’ve just enabled a whitelist for allowing several countries to access my web service performing in the DMZ (Orange).

However, now I cannot access the DMZ services from my internal networks (BLUE and GREEN) any more (Web, Mail). I suppose this has to do with traffic being routed somehow over RED when addressing FQDN’s as part of the DMZ and, in addition, those client internal IP’s (192.168.x.x, 10.x.x) are not part of the location database, so no way to put these on a location white list.

What rule may I please apply to circumvent that problem?

bbitsch · 26 August 2024 10:45

Use internal FQDNs.
For example mail.mynet.localdomain.
The host names should be defined on the WUI page Network → Edit Hosts.

I suppose the DMZ servers are accessible by their IPs.

steven · 26 August 2024 10:49

Add Rule:

Source: Green
NAT: Dest-Nat → FW-Interface Red
Destination: Host in DMZ
Protocol: TCP 443

Same for Blue. Should work.

firewire · 26 August 2024 11:05

Hi Steven, thank you, that works. May I please ask if you have a hint how to get that work together with proxy enabled for the clients?

steven · 26 August 2024 12:29

Is not possible. You must enter the urls in the client settings under “internal urls” so that the proxy does not take effect for them.

firewire · 26 August 2024 12:44

Well, just found it. When enabling the whitelist based firewall rules with the external ip included (as country), proxy access works w/o changes. I’ve had disabled the rule when testing … :_/

Thank you so much for helping me out.