DMZ Internet - Restrict LAN Access

McTechSolutions

Hi Guys. Sorry if this post is in the wrong place. Admin feel free to move it.

I am looking for some assistance please. I have been pulling my hair out and not getting very far. So have rebuilt the pfsense box back to factory settings. Let me give you a run down on setup.

latest pfsense running on VMware ESXi 6.7

vyos router
-- 192.168.1.254 - VLAN1
-- 192.168.2.254 - VLAN2
-- 192.168.3.254 - VLAN3
-- 192.168.4.254 - VLAN4

vyos default gateway 192.168.1.253

pfsense

NIC1 = 192.168.1.253 VLAN1
NIC2 = ISP Router
NIC3 = 172.16.16.254 DMZ

Under Interfaces
LAN
WAN
OPT

Under system routing
Gateway 192.168.1.254

Under system routing / static routes

192.168.1.254 via 192.168.1.254
192.168.2.254 via 192.168.1.254
192.168.3.254 via 192.168.1.254
192.168.4.254 via 192.168.1.254

Now I can't get internet access on LAN and OPT1 unless I create and Any Any rule. This also allows the 192.168.x.x to see the 172.16.16.x network and vice versa. My OT1 network is my DMZ.

I am trying to create the following. I am happy for the 192.168.x.x to see devices on the 172.16.16.x network and have unrestricted internet access.

I would like the 172.16.16.x network to not be able to communicate with anything on the 192.168.x.x network and have unrestricted internet access.

Can anyone provide any help on getting this running. I have played around with so many rules and nothing seems to semi work apart from any any

Thanks in advance.