DMZ not communicating



  • I am trying to configure a DMZ and have setup a 192.168.7.0/24 subnet

    Pfsense 192.168.7.254
    PC 192.168.7.2

    I wish to block all traffic from this subnet to my main LAN @ 192.168.1.0/24

    Test rule 1
    => allows me to access wan and main lan
    source =  DMZ net
    dest = any

    Test rule 2
    => allows me to ping 192.168.7.254 & 192.168.1.254 only
    source = DMZ net
    dest = this firewall (self)

    Test rule 3
    => allows me to ping modem wan address
    source = DMZ net
    dest = wan address

    Test rule 4
    => allows me to ping modem wan address & ping 8.8.8.8 is blocked and logged in fw log
    source = DMZ net
    dest = wan net

    How can I config the DMZ fw rules to allows the subnet to access the wan and nothing else?

    Thanks



  • @McMurphy:

    How can I config the DMZ fw rules to allows the subnet to access the wan and nothing else?

    To get this, you will need at least 2 rules.

    First you need a block rule on DMZ interface blocking any protocol from source "DMZ net" to dest. "This firewall".

    At second create a pass rule, set the protocol to meet your needs, set source to "DMZ net" and at destination check "Invert match." and enter "LAN net".
    Instead of LAN net it is a good choice to add an alias containing all RFC 1918 subnets and enter it the rule at dest. So you will not have to edit this rule if you add further internal subnets.

    Remember that the DMZ devices also need to access a DNS service. If this is running on your firewall or in the LAN you will also have to add an additional rule to permit this.