Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Create a Semi-DMZ?

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 818 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • JustAnotherUserJ Offline
      JustAnotherUser
      last edited by

      I have a windows game server that I want to isolate. I don't want a true DMZ because I don't want the windows box fully exposed to the internet.

      My setup:
      LAN1 (192.168.1.0) - Where all my computers are.
      LAN2 (172.16.1.0) - Where my windows game server is.
      LAN3 (x.x.x.x) - For future expansion.

      I've got the needed port forwarded from WAN to LAN2.

      Is there a way to set up a rule to allow connections initiated from LAN1 to LAN2 and not allow connections initiated from LAN2 to LAN1 (or LAN3)?

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        Not sure where you got the idea that DMZ means "fully" exposed... But anyhoo.

        On your lan 2 rules.. Just put a rule above the any any rule blocks access to lan1 and another rule above that blocks access to lan 3

        Or just create a alias and put in the networks you want to block access to, etc.

        Its real simple rules are evaluated top down, first rule to trigger wins, no other rules are evaluated. So if you don't want lan 2 talking to something. Put a block rule to that something above your any any rules that allows access to internet.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.11 | Lab VMs 2.8.1, 25.11

        1 Reply Last reply Reply Quote 0
        • JustAnotherUserJ Offline
          JustAnotherUser
          last edited by

          In the past I see DMZs do 1to1 a server to an IP on the WAN so, it's fully exposed. Probably the wrong way to do a DMZ but most IT shops are shoddy places.

          As for your reply- AWESOME! It worked beautifully. For some reason I had it in my head that that rule would block response traffic on established connections. Seems to work exactly as I wanted. THANKS!
          alt text

          1 Reply Last reply Reply Quote 0
          • K Offline
            kpa
            last edited by

            That kind of DMZ is just a 1:1 mapping of all ports on the WAN to the DMZ host on the LAN. It may be that on your average crappy router there are no proper controls for access and all ports are in fact open if they are open on the DMZ host. This is now pfSense though, it's not a toy and you have all the access control tools of a professional grade firewall/router.

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              Not sure what IT shops your talking about? You mean some ma pop 3 person company where the guy that says hey I know what dns means is the "IT" guy ;)

              And he uses the router he picked up at the computer store for $79.. That kind of IT shop ;) Then yeah ok the "dmz" mode of the soho routers is what your talking about..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.11 | Lab VMs 2.8.1, 25.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.