[solved] DMZ via VLAN - would this work?
-
Hi,
I'd like to get a sounding whether this config would work and get my a poor man's DMZish environment (I have a VLAN-capable "websmart" switch):
Status quo: WAN <-> pfSense <- LAN/WLAN (bridged) [untagged]
Target: WAN <-> pfSense <- LAN/WLAN (bridged) [tagged VLAN ID 1 or untagged?]
<-> DMZ [tagged VLAN ID 11]
where LAN/WLAN may see everything,
WAN may see DMZ but not LAN/WAN,
DMZ may see WAN but not LAN/WAN.I would normally create a new interface based on LAN but with VLAN 11 and call/assign that to DMZ. So that I get a new tab "DMZ" for the Firewall rules.
Then I would create Firewall rules:
LAN-Tab: pass * Source:LAN-net * * * * (-> all destinations allowed - stays as is)
WiFi unchanged (passes / bridged to LAN)
DMZ-Tab: block * * * * Dest: LAN * (-> all packets for destination LAN blocked)
pass * Source:DMZ-net * * WAN * (-> all packets from DMZ-subnet to WAN allowed - may be ok without Source arg?)
WAN-Tab: block [standard RFC1918 and Bogon rules]
block * * * * Dest: LAN * (-> all packets for destination LAN blocked)
pass [NAT induced firewall rules to open ports on DMS server] * * * * Dest: DMZ * (-> all NATted packets for DMZ pass)Ok, would of course also create a NAT for the ports to be opened on the DMZ server. I don't really want 1:1, just need a couple of ports. But I don't want that server to sit in my LAN and be able to mount LAN ressources.
Questions:
- Do I actually have to tag LAN or is it good enough to tag DMZ? I think I need to tag LAN as well but am not certain.
- Do I under the DMZ tab actually have to state the Source? Why not just the destination given that the Firewall work inbound and the tab describes the IF anyway?
- Does anything else here look clearly bad?
Forgive me but I'm new to pfSense and would like to understand things better before I change things and then don't understand the effects :-)
Thanks!
-
@ghm:
Questions:
- Do I actually have to tag LAN or is it good enough to tag DMZ? I think I need to tag LAN as well but am not certain.
- Do I under the DMZ tab actually have to state the Source? Why not just the destination given that the Firewall work inbound and the tab describes the IF anyway?
- Does anything else here look clearly bad?
solved this using "pfSense - The Definitive Guide". Now I know that one should neither use PVID 1 nor the parent interface of a VLAN. Have LAN on PVID 2 now and DMZ on PVID 11.
WiFi is unbridged now, even though bridged did not cause visible issues.Works :-)