Protect the firewall on a DMZ
-
Hi Guys,
I'm sure I'm missing something but I can't figurer this out
I've got a WAN, LAN, & DMZ [ 20.0 net ].
I want to allow anyone on the DMZ to the internet on ports 80 & 443. I want to protect pfSense from anyone on the DMZ from reaching it at 192.168.20.1. Ive tried blocking 20.1, blocking DMZ.address, blocking "this firewall", etc …. But I loose internet connectivity when I do this. Is this possible or do I just need to put a really strong password on pfSense.
-
Yes, is possible…. just need the "proper" FW rules, at the proper "position" (Order)
https://doc.pfsense.org/index.php/Firewall_Rule_Basics
https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
If you "show" (screenshots) your Rules, it will be possible to "see" where is the "error" ;)
-
Rules Below - I've tried several combos of rules - Can ping everything on Wifi.net but no connectivity.
Thanks
![Screen Shot 2017-03-06 at 5.25.02 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-03-06 at 5.25.02 PM.png_thumb)
![Screen Shot 2017-03-06 at 5.25.02 PM.png](/public/imported_attachments/1/Screen Shot 2017-03-06 at 5.25.02 PM.png) -
Actually - the advice yo gave me in your post was excellent. The three link are very good and i need to do more homework. I thought i understood BUT I did not….
Truly, Thank You. I will learn a great deal more if i solve this myself!
Joe
-
I can access the internet and cannot access pfSense box. I think I figured it out!! Is this correct…
If it is, then I UNDERSTAND and I did it using logging!!!!
pfSense is GREAT!!!
Thanks in advance for the advice ptt!!
BUT - Is it correct??
![Screen Shot 2017-03-06 at 10.31.31 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-03-06 at 10.31.31 PM.png_thumb)
![Screen Shot 2017-03-06 at 10.31.31 PM.png](/public/imported_attachments/1/Screen Shot 2017-03-06 at 10.31.31 PM.png) -
Make the destination in rule 2 This Firewall instead of WIFI Address.
Try to connect to the pfsense webgui on any firewall address other than the wifi address first.
-
Thanks - Last night I was trying to figure out what "this firewall" was all about, so I setup a ping test between all 3 subnets and figured it out rather quickly - It means any of the xxx.1 address. So I changed it before I went to bed.
The take a way for this for me is: "Learn to Use The Tools provided on pfSense!"
Derelic, Thanks for confirming that that method was correct….
You guys are great! Thanks for the help!