Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with rules from DMZ to Internet with limited LAN access

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 4 Posters 452 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • _neok_
      _neok
      last edited by

      Hello everyone!
      I have a computer (anti-spam) on my DMZ, exposed to the internet with a NAT on one of my WANs.
      I have a working rule that allows you to communicate with two IP addresses on my LAN and nothing else. So far, so good.
      Now, I need that computer to be able to connect to the Internet, but not to the rest of my LAN.
      If I set up a DMZ to any rule it connects to the internet but also to the entire LAN.
      How and where do you recommend that I set up the rules to communicate to the Internet and only to the IP addresses of my LAN that I tell you?
      Thank you very much for any hint!
      Warm greetings

      Gabriel

      1 Reply Last reply Reply Quote 0
      • D
        dzeanah
        last edited by

        Add a rule that denies access to the LAN from this machine, and have it processed before the allow all rule?

        1 Reply Last reply Reply Quote 0
        • NogBadTheBadN
          NogBadTheBad
          last edited by

          @Derek:

          Add a rule that denies access to the LAN from this machine, and have it processed before the allow all rule?

          ^^ this

          Check out the attached screenshot, replace TEST net with DMZ net, g_ip_local contains my local IP addresses.

          Untitled.jpg
          Untitled.jpg_thumb

          Andy

          1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

          1 Reply Last reply Reply Quote 0
          • _neok_
            _neok
            last edited by

            @NogBadTheBad:

            @Derek:

            Add a rule that denies access to the LAN from this machine, and have it processed before the allow all rule?

            ^^ this

            Check out the attached screenshot, replace TEST net with DMZ net, g_ip_local contains my local IP addresses.

            Thank you very much for the tip! I'm gonna try it and then come back and tell you how it went.
            Best regards!

            1 Reply Last reply Reply Quote 0
            • G
              georgeman
              last edited by

              I might add that a nice approach is to generate an alias with the whole RFC1918 networks and explicitly block connections from DMZ to this alias before the allow to internet rule

              If it ain't broke, you haven't tampered enough with it

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.