Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAN and DMZ

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      webroy
      last edited by

      Just a Question

      When you have a WAN and a BRIDGE to DMZ where do you put youre firewall rules? IN WAN or in DMZ ? Both? or does not matter because of the Bridge?

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        With the default settings, you put the rules on the interface the traffic enters. So traffic from DMZ to the WAN would be filtered by the rules on the DMZ tab. Traffic from WAN to DMZ would be filtered by rules on the WAN tab.

        You can change the bridge filtering settings so that it filters on the actual bridge interface itself if you have it assigned, or both, or neither.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M Offline
          Mr. Jingles
          last edited by

          @jimp:

          With the default settings, you put the rules on the interface the traffic enters. So traffic from DMZ to the WAN would be filtered by the rules on the DMZ tab. Traffic from WAN to DMZ would be filtered by rules on the WAN tab.

          My apologies Jimp for probably sounding most stupid, but given what I made bold, shouldn't it be the other way around? (I admit, I am still struggling with it). It enters the WAN, so it should be filtered by rules on WAN, not on DMZ, no?

          (I feel so stupid  :-[)

          6 and a half billion people know that they are stupid, agressive, lower life forms.

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            Traffic from the DMZ to the WAN enters the DMZ interface, so it is filtered by the rules on the DMZ interface.

            We're both saying the same thing, I don't see the conflict.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M Offline
              Mr. Jingles
              last edited by

              @jimp:

              Traffic from the DMZ to the WAN enters the DMZ interface, so it is filtered by the rules on the DMZ interface.
              We're both saying the same thing, I don't see the conflict.

              I don't want a conflict with you  ;D

              But the bold: I know I don't understand this, but if it goes from DMZ to WAN then it leaves DMZ and enters WAN, no? (I know it has to be 'no' since you write it, but my limited brain doesn't understand it. To me it spells like just the other way around).

              Thank you  ;D

              6 and a half billion people know that they are stupid, agressive, lower life forms.

              1 Reply Last reply Reply Quote 0
              • jimpJ Offline
                jimp Rebel Alliance Developer Netgate
                last edited by

                no, it enters DMZ and leaves WAN.

                Imagine a host on the DMZ trying to reach Google public DNS. DMZ is x.x.x.x, remote IP is 8.8.8.8

                packet leaves x.x.x.x, enters the firewall's DMZ interface, leaves the WAN interface going to the default gateway for the bridge subnet, and then on to 8.8.8.8

                So traffic coming from the DMZ enters the DMZ interface on the firewall.

                Logically you're a bit off. Traffic "leaving the DMZ" does not exit the DMZ interface, it enters the DMZ interface and leaves another. Imagine yourself sitting inside of the firewall. Traffic coming from the DMZ comes at you from the DMZ interface.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  From an interface's perspective:

                  enter == receive
                  leave == transmit

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.