Simple DMZ, cannot lookup DNS
I got my pfsense working and I got a LAN, WAN and DMZ interface.
The LAN should be able to ssh to the DMZ, but not the other way around.
The DMZ should be able to connect to the Internet, but not to the LAN.
The idea behind that is, a webserver should be in the DMZ later on and I should be able to connect from the internet to the webserver, but not the LAN.
The LAN should be separated, and save from the internet and the DMZ.
I can connect from LAN to DMZ.
I can ping ip addresses in the internet from DMZ, but I can't lookup google.com for example.
From a machine inside the DMZ:
PING 184.108.40.206 (220.127.116.11) 56(84) bytes of data. 64 bytes from 18.104.22.168: icmp_seq=1 ttl=60 time=15.4 ms 64 bytes from 22.214.171.124: icmp_seq=2 ttl=60 time=14.9 ms 64 bytes from 126.96.36.199: icmp_seq=3 ttl=60 time=14.8 ms 64 bytes from 188.8.131.52: icmp_seq=4 ttl=60 time=15.3 ms 64 bytes from 184.108.40.206: icmp_seq=5 ttl=60 time=15.0 ms
ping google.com doesn't work, no answer.
How do I have to set/change my rules?
Rules are attached.
DMZ subnet is 192.168.3.1/24
LAN is 192.168.1.1/24
Machine inside DMZ:
![DMZ rules.png](/public/imported_attachments/1/DMZ rules.png)
![DMZ rules.png_thumb](/public/imported_attachments/1/DMZ rules.png_thumb)
![LAN rules.png](/public/imported_attachments/1/LAN rules.png)
![LAN rules.png_thumb](/public/imported_attachments/1/LAN rules.png_thumb)
I sorted it out myself.
I had to add a rule to DMZ and allow UDP traffic to port 53(DNS) from the DMZ to 192.168.1.1(DNS Server).
Is this the best way to do it? Right? Is this safe?
The best way is to configure the DNS resolver or forwarder to listen also on DMZ interface and add a rule to DMZ to allow the access to the interface address (dest = this firewall).
Since dns uses mostly UDP then yes you need to allow that on port 53. To wherever you might have a device pointing to for dns. You should also allow tcp for 53, since it is possible for dns to require use of tcp.