Protect the firewall on a DMZ

delstel

Hi Guys,

I'm sure I'm missing something but I can't figurer this out

I've got a WAN, LAN, & DMZ [ 20.0 net ].

I want to allow anyone on the DMZ to the internet on ports 80 & 443. I want to protect pfSense from anyone on the DMZ from reaching it at 192.168.20.1. Ive tried blocking 20.1, blocking DMZ.address, blocking "this firewall", etc …. But I loose internet connectivity when I do this. Is this possible or do I just need to put a really strong password on pfSense.

ptt

Yes, is possible…. just need the "proper" FW rules, at the proper "position" (Order)

https://doc.pfsense.org/index.php/Firewall_Rule_Basics

https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

If you "show" (screenshots) your Rules, it will be possible to "see" where is the "error" ;)

delstel

Rules Below - I've tried several combos of rules - Can ping everything on Wifi.net but no connectivity.

Thanks

![Screen Shot 2017-03-06 at 5.25.02 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-03-06 at 5.25.02 PM.png_thumb)
![Screen Shot 2017-03-06 at 5.25.02 PM.png](/public/imported_attachments/1/Screen Shot 2017-03-06 at 5.25.02 PM.png)

delstel

Actually - the advice yo gave me in your post was excellent. The three link are very good and i need to do more homework. I thought i understood BUT I did not….

Truly, Thank You. I will learn a great deal more if i solve this myself!

Joe

delstel

I can access the internet and cannot access pfSense box. I think I figured it out!! Is this correct…

If it is, then I UNDERSTAND and I did it using logging!!!!

pfSense is GREAT!!!

Thanks in advance for the advice ptt!!

BUT - Is it correct??

![Screen Shot 2017-03-06 at 10.31.31 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-03-06 at 10.31.31 PM.png_thumb)
![Screen Shot 2017-03-06 at 10.31.31 PM.png](/public/imported_attachments/1/Screen Shot 2017-03-06 at 10.31.31 PM.png)

Derelict

Make the destination in rule 2 This Firewall instead of WIFI Address.

Try to connect to the pfsense webgui on any firewall address other than the wifi address first.

delstel

Thanks - Last night I was trying to figure out what "this firewall" was all about, so I setup a ping test between all 3 subnets and figured it out rather quickly - It means any of the xxx.1 address. So I changed it before I went to bed.

The take a way for this for me is: "Learn to Use The Tools provided on pfSense!"

Derelic, Thanks for confirming that that method was correct….

You guys are great! Thanks for the help!