Protect the firewall on a DMZ

  • Hi Guys,

    I'm sure I'm missing something but I can't figurer this out

    I've got a WAN, LAN, & DMZ [ 20.0 net ].

    I want to allow anyone on the DMZ to the internet on ports 80 & 443.  I want to protect pfSense from anyone on the DMZ from reaching it at  Ive tried blocking 20.1, blocking DMZ.address, blocking "this firewall", etc ….  But I loose internet connectivity when I do this.  Is this possible or do I just need to put a really strong password on pfSense.

  • Rebel Alliance

    Yes, is possible…. just need the "proper" FW rules, at the proper "position" (Order)

    If you "show" (screenshots) your Rules, it will be possible to "see" where is the "error"  ;)

  • Rules Below - I've  tried several combos of rules - Can ping everything on but no connectivity.


    ![Screen Shot 2017-03-06 at 5.25.02 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-03-06 at 5.25.02 PM.png_thumb)
    ![Screen Shot 2017-03-06 at 5.25.02 PM.png](/public/imported_attachments/1/Screen Shot 2017-03-06 at 5.25.02 PM.png)

  • Actually - the advice yo gave me in your post was excellent. The three link are very good and i need to do more homework.  I thought i understood BUT I did not….

    Truly, Thank You.  I will learn a great deal more if i solve this myself!


  • I can access the internet and cannot access pfSense box.  I think I figured it out!!  Is this correct…

    If it is, then I UNDERSTAND and I did it using logging!!!!

    pfSense is GREAT!!!

    Thanks in advance for the advice ptt!!

    BUT - Is it correct??

    ![Screen Shot 2017-03-06 at 10.31.31 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-03-06 at 10.31.31 PM.png_thumb)
    ![Screen Shot 2017-03-06 at 10.31.31 PM.png](/public/imported_attachments/1/Screen Shot 2017-03-06 at 10.31.31 PM.png)

  • LAYER 8 Netgate

    Make the destination in rule 2 This Firewall instead of WIFI Address.

    Try to connect to the pfsense webgui on any firewall address other than the wifi address first.

  • Thanks - Last night I was trying to figure out what "this firewall" was all about, so I setup a ping test between all 3 subnets and figured it out rather quickly - It means any of the xxx.1 address.  So I changed it before I went to bed.

    The take a way for this for me is:  "Learn to Use The Tools provided on pfSense!"

    Derelic, Thanks for confirming that that method was correct….

    You guys are great!  Thanks for the help!