Ping LAN to DMZ, but not DMZ to LAN



  • I'd like to configure this:

    • PC in LAN can ping Web server in DMZ.
    • But I don't want Web server in DMZ able to ping PC in LAN.

    The firewall is new (not a lot of rules so).

    I'm new in PFsense. Prehaps I've done anything wrong when I've create DMZ interface.

    In DMZ Interface: all rules are "disable".

    In LAN interface: a rule "block" "IPv4 ICMP echo request".

    In my Web server (on DMZ interface), I launch a ping (ping -t) to a PC (in LAN interface).
    The ping don't work because there is no rule in DMZ interface.
    It's good.

    In the same PC (in LAN interface), I launch a ping ( ping -t) to the Web server (on DMZ interface).
    The ping don't work because there is a rule that block.
    It's good.

    I modify the LAN rule: it pass from "block" to "pass".

    The ping from PC to Web server is now walking: it's good.

    But … the ping from Web server to PC become good too !!! It's not what I want.

    If I add a rule on DMZ Interface that block "ping request" from DMZ to LAN, the ping from server on DMZ to LAN continue.

    I know iptables. I don't find in PFsense how to make what I want.

    Thanks for all.

    Best regards.



  • The packets are filtered on the Interface where they come in by default, except floating rules.
    Only packets which explicitly allowed by a filter rule can pass.

    So if you are able to ping from DMZ to LAN, there must exist a rule on the DMZ interface allowing it, or even a floating rule.



  • ^^^ yeah, you either swapped LAN and DMZ interfaces or you need to kill states like advised in your other post.



  • In Interfaces > Interface Assignments:

    • WAN: hn0 (00:15:5d:6c:a0:09)
    • LAN: hn1 (00:15:5d:6c:a0:0a)
    • DMZ: hn2 (00:15:5d:6c:a0:0b)

    All is virtualized (Hyper-V) on one physical machine. As soon as possible, I try to make the same test with one physical machine in DMZ and an other physical machine in LAN.

    All submenus (Interface Groups, , Wireless, …) are empty.


    In Interface > DMZ (I don't show empty fields):

    • Description: DMZ

    • IPv4 Configuration Type: Static IPv4

    • IPv6 Configuration Type: none

    • IPv4 Address: 172.16.0.1

    • IPv4 Upstream gateway: None


    In Interface > LAN (I don't show empty fields):

    • Description: LAN

    • IPv4 Configuration Type: Static IPv4

    • IPv6 Configuration Type: none

    • IPv4 Address: 10.0.0.1

    • IPv4 Upstream gateway: None


    In Firewall > Rules > Floating:
    No floating rules are currently defined. Click the button to add a new rule.


    In Firewall > Rules > LAN:

    • Rule num 1: Anti-Lockout Rule

    • Rule num 2: "ping LAN to WAN":
        . Action: "pass" or "block"
        . Interface: LAN
        . Address Family: IPv4
        . Protocol: ICMP
        . ICMP Subtypes: Echo request
        . Source: any
        . Destination: any

    . Disable reply-to: selected
      . State type: keep
      . Gateway: default


    In Firewall > Rules > DMZ:
    No floating rules are currently defined. Click the button to add a new rule.


    ping from LAN to DMZ is "blocked".
    Then: ping from DMZ to LAN is "blocked" too.

    What is strange: if rule num 2 in LAN interface pass from "block" to "pass":

    • the ping from LAN to DMZ is warking (after having destroyed state in Diagnostics > States)
    • immediately, the ping from DMZ to LAN is working too.

    When the ping is working (from LAN to DMZ, but from DMZ to LAN too), I have only 2 lines in Diagnostics > States (The "State" column is at 0:0 for the two lines).


    Thanks for all.




Log in to reply