Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] DMZ via VLAN - would this work?

    Scheduled Pinned Locked Moved Firewalling
    2 Posts 1 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      ghm
      last edited by

      Hi,

      I'd like to get a sounding whether this config would work and get my a poor man's DMZish environment (I have a VLAN-capable "websmart" switch):

      Status quo: WAN <-> pfSense <- LAN/WLAN (bridged) [untagged]

      Target:       WAN <-> pfSense <- LAN/WLAN (bridged) [tagged VLAN ID 1 or untagged?]
                                               <-> DMZ [tagged VLAN ID 11]
                      where LAN/WLAN may see everything,
                               WAN may see DMZ but not LAN/WAN,
                               DMZ may see WAN but not LAN/WAN.

      I would normally create a new interface based on LAN but with VLAN 11 and call/assign that to DMZ. So that I get a new tab "DMZ" for the Firewall rules.

      Then I would create Firewall rules:

      LAN-Tab:     pass * Source:LAN-net * * * * (-> all destinations allowed - stays as is)
      WiFi unchanged (passes / bridged to LAN)
      DMZ-Tab:    block * * * * Dest: LAN * (-> all packets for destination LAN blocked)
                      pass * Source:DMZ-net * * WAN * (-> all packets from DMZ-subnet to WAN allowed - may be ok without Source arg?)
      WAN-Tab:   block [standard RFC1918 and Bogon rules]
                      block * * * * Dest: LAN * (-> all packets for destination LAN blocked)
                      pass [NAT induced firewall rules to open ports on DMS server] * * * * Dest: DMZ * (-> all NATted packets for DMZ pass)

      Ok, would of course also create a NAT for the ports to be opened on the DMZ server. I don't really want 1:1, just need a couple of ports. But I don't want that server to sit in my LAN and be able to mount LAN ressources.

      Questions:

      • Do I actually have to tag LAN or is it good enough to tag DMZ? I think I need to tag LAN as well but am not certain.
      • Do I under the DMZ tab actually have to state the Source? Why not just the destination given that the Firewall work inbound and the tab describes the IF anyway?
      • Does anything else here look clearly bad?

      Forgive me but I'm new to pfSense and would like to understand things better before I change things and then don't understand the effects :-)

      Thanks!

      1 Reply Last reply Reply Quote 0
      • G
        ghm
        last edited by

        @ghm:

        Questions:

        • Do I actually have to tag LAN or is it good enough to tag DMZ? I think I need to tag LAN as well but am not certain.
        • Do I under the DMZ tab actually have to state the Source? Why not just the destination given that the Firewall work inbound and the tab describes the IF anyway?
        • Does anything else here look clearly bad?

        solved this using "pfSense - The Definitive Guide". Now I know that one should neither use PVID 1 nor the parent interface of a VLAN. Have LAN on PVID 2 now and DMZ on PVID 11.
        WiFi is unbridged now, even though bridged did not cause visible issues.

        Works :-)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.