Protect the firewall on a DMZ



  • Hi Guys,

    I'm sure I'm missing something but I can't figurer this out

    I've got a WAN, LAN, & DMZ [ 20.0 net ].

    I want to allow anyone on the DMZ to the internet on ports 80 & 443.  I want to protect pfSense from anyone on the DMZ from reaching it at 192.168.20.1.  Ive tried blocking 20.1, blocking DMZ.address, blocking "this firewall", etc ….  But I loose internet connectivity when I do this.  Is this possible or do I just need to put a really strong password on pfSense.


  • Rebel Alliance

    Yes, is possible…. just need the "proper" FW rules, at the proper "position" (Order)

    https://doc.pfsense.org/index.php/Firewall_Rule_Basics

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    If you "show" (screenshots) your Rules, it will be possible to "see" where is the "error"  ;)



  • Rules Below - I've  tried several combos of rules - Can ping everything on Wifi.net but no connectivity.

    Thanks

    ![Screen Shot 2017-03-06 at 5.25.02 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-03-06 at 5.25.02 PM.png_thumb)
    ![Screen Shot 2017-03-06 at 5.25.02 PM.png](/public/imported_attachments/1/Screen Shot 2017-03-06 at 5.25.02 PM.png)



  • Actually - the advice yo gave me in your post was excellent. The three link are very good and i need to do more homework.  I thought i understood BUT I did not….

    Truly, Thank You.  I will learn a great deal more if i solve this myself!

    Joe



  • I can access the internet and cannot access pfSense box.  I think I figured it out!!  Is this correct…

    If it is, then I UNDERSTAND and I did it using logging!!!!

    pfSense is GREAT!!!

    Thanks in advance for the advice ptt!!

    BUT - Is it correct??

    ![Screen Shot 2017-03-06 at 10.31.31 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-03-06 at 10.31.31 PM.png_thumb)
    ![Screen Shot 2017-03-06 at 10.31.31 PM.png](/public/imported_attachments/1/Screen Shot 2017-03-06 at 10.31.31 PM.png)


  • Netgate

    Make the destination in rule 2 This Firewall instead of WIFI Address.

    Try to connect to the pfsense webgui on any firewall address other than the wifi address first.



  • Thanks - Last night I was trying to figure out what "this firewall" was all about, so I setup a ping test between all 3 subnets and figured it out rather quickly - It means any of the xxx.1 address.  So I changed it before I went to bed.

    The take a way for this for me is:  "Learn to Use The Tools provided on pfSense!"

    Derelic, Thanks for confirming that that method was correct….

    You guys are great!  Thanks for the help!