DMZ not communicating
-
I am trying to configure a DMZ and have setup a 192.168.7.0/24 subnet
Pfsense 192.168.7.254
PC 192.168.7.2I wish to block all traffic from this subnet to my main LAN @ 192.168.1.0/24
Test rule 1
=> allows me to access wan and main lan
source = DMZ net
dest = anyTest rule 2
=> allows me to ping 192.168.7.254 & 192.168.1.254 only
source = DMZ net
dest = this firewall (self)Test rule 3
=> allows me to ping modem wan address
source = DMZ net
dest = wan addressTest rule 4
=> allows me to ping modem wan address & ping 8.8.8.8 is blocked and logged in fw log
source = DMZ net
dest = wan netHow can I config the DMZ fw rules to allows the subnet to access the wan and nothing else?
Thanks
-
How can I config the DMZ fw rules to allows the subnet to access the wan and nothing else?
To get this, you will need at least 2 rules.
First you need a block rule on DMZ interface blocking any protocol from source "DMZ net" to dest. "This firewall".
At second create a pass rule, set the protocol to meet your needs, set source to "DMZ net" and at destination check "Invert match." and enter "LAN net".
Instead of LAN net it is a good choice to add an alias containing all RFC 1918 subnets and enter it the rule at dest. So you will not have to edit this rule if you add further internal subnets.Remember that the DMZ devices also need to access a DNS service. If this is running on your firewall or in the LAN you will also have to add an additional rule to permit this.