Correct way to set up multiple DMZ's
-
That is very true but consider this:
you have a WAN, LAN, OPT, DMZ, DMZ2
You need to add a DMZ3
So you add DMZ3 you add allow for HTTP, HTTPS so it can get out to the net then you need to add at least 5 x block rules to block DMZ3 to LAN, OPT, PPTP etc
You also have to add 3 rules to stop access from DMZ3 to the HTTP/HTTPS/SSH PFsense management interface on DMZ3 (as the HTTP/HTTPS allow rules allow access to it!)
Then you have to add a rule on each LAN, OPT, DMZ, DMZ2 to block access to DMZ3 so that's another 4 rules.
So you are having to add 12 rules just to block access where if this option was available you would not need any :(
When you start using a few OPT/DMZ/VLANS it becomes a nightmare to make sure everything is blocked correctly :(
-
If you're on 2.0 you can use a floating rule on all interfaces except DMZ3 to drop traffic to the DMZ3 subnet.
For the internet ping, you could define an alias with all private subnets(priv_nets), 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 and define a rule
On DMZ3
From any
To NOT priv_nets
Protocol icmp -
Im sure I tried creating a priv_nets type group with all local subnets in but it then blocks all pings even to the WAN presumably because the gateway of the subnet you are on is included?
-
Floating rules may be an option ie create:
Block LAN, OPT, DMZ, DMZ2 -> DMZ3
Block LAN, OPT, DMZ, DMZ3 -> DMZ2
Block LAN, OPT, DMZ2, DMZ3 -> DMZ
Block LAN, DMZ, DMZ2, DMZ3 -> OPT
Block DMZ, OPT, DMZ2, DMZ3 -> LANSomething like that?
-
That would be perfect except I dont have a "local subnets" option :(
I am on 2.0-RC3Well, sorry, looked it up in a test system running 2.0RC. Actually, this IS an alias I was refering to and not given from the system.
The alias holds something like:
10/8 & 192.168/16
Could you use that? OK, your WAN gateway won't be pingable, but do you need that? Accessing external destinations should work this way. -
I found in my testing it blocked all traffic simple example:
wan 1.1.1.1
lan 2.2.2.2
opt 3.3.3.3local_subnets alias: 2.2.2.2, 3.3.3.3
Rule: allow opt ping to not local_subnets
I found this blocks all pings even to external :(
-
I don't think it's supposed to work like that, but maybe I'm missing something.
Haven't used the floating rules myself but what you wrote sounds reasonable. Give it a try! -
Im sure I tried creating a priv_nets type group with all local subnets in but it then blocks all pings even to the WAN presumably because the gateway of the subnet you are on is included?
It's L3 traffic so it shouldn't matter what local IP the gateway is on, unless you're doing a traceroute.
I just ran a test on my local net, are you sure you've put a rule in below it to allow pings from any to any, or from DMZ3 to any?
Config
Logs
-
If you want to drop the number of those lines you can also make allow rule with !internal pings
-
Ok thanks I will test it out