Subnet with no firewall

Simoo

Hi,

I am using Smoothwall at the moment. I would like to set up a router/firewall with two subnets, one for my trusted LAN, fully firewalled and one that is not firewalled at all (a DMZ as I understand it) for gaming consoles. The two would not need to talk to each other. This would be done with two separate NICs.

I cannot do this with Smoothwall because the 'orange' or DMZ is fully firewalled.

Could I use pfsense to achieve this?

Thanks  :)

GruensFroeschli

Yes.
Just add rules on your DMZ interface that allow everything.
But could you elaborate on what you are trying to achieve?
Because even in a DMZ just allowing everything is usually not such a good idea.

Simoo

Sure, (thanks for the quick reply!)

My home network consists of about 6 machines which I need firewalled, MythTV, desktops, media servers & laptops. They need to be able to talk to each other, but very few port forwards are needed.

But there are also gaming consoles, PS3, DS, Wii, PSP etc. two of each with some. Some of these need many ports open and because of the duplicate consoles, sometimes the same ports at different times. Gaming forums seem to suggest puting consoles in un-firewalled DMZ is best and this seems to make sense.

The PS3s use uPnP which as I understand gets round port problems but it would still be good to have a completely un-firewalled subnet for gaming consoles, allowing me to keep port forwards to a minimum on my 'main' subnet and getting round the problem of only being able to open ports to a single ip.

Thanks again

Simoo

Hi, I have installed pfsense and made a firewall rule like this:

Proto    source    port    destination    port    gateway    Schedule    Description
*        *          *        DMZ            *        *                            DMZ

Is that all I need to do to create an un firewalled DMZ or do I need to add something to the NAT section too? (like with port forwards)

Thanks

jahonix

NAT is used for original inbound traffic. You don't need that.
Your destination is wrong, unless you only want to pass packets that travel from DMZ to DMZ.
Destination should be '*' as well.

Simoo

Proto    source    port    destination    port    gateway    Schedule    Description
*        *          *        *                *        *                              DMZ

So setting the above for an interface ('Choose on which interface packets must come in to match this rule.') will mean that interface is no longer firewalled.

Thanks :)

PS. It's also worth mentioning, in case anyone uses this, that it would be important to stop the above interface 'talking' to the LAN like this:

Proto    source    port    destination    port    gateway    Schedule    Description
*        DMZ net  *        ! LAN net      *        *                              Permit DMZ to any BUT LAN