DMZ Internet - Restrict LAN Access



  • Hi Guys. Sorry if this post is in the wrong place. Admin feel free to move it.

    I am looking for some assistance please. I have been pulling my hair out and not getting very far. So have rebuilt the pfsense box back to factory settings. Let me give you a run down on setup.

    latest pfsense running on VMware ESXi 6.7

    vyos router
    -- 192.168.1.254 - VLAN1
    -- 192.168.2.254 - VLAN2
    -- 192.168.3.254 - VLAN3
    -- 192.168.4.254 - VLAN4

    vyos default gateway 192.168.1.253

    pfsense

    NIC1 = 192.168.1.253 VLAN1
    NIC2 = ISP Router
    NIC3 = 172.16.16.254 DMZ

    Under Interfaces
    LAN
    WAN
    OPT

    Under system routing
    Gateway 192.168.1.254

    Under system routing / static routes

    192.168.1.254 via 192.168.1.254
    192.168.2.254 via 192.168.1.254
    192.168.3.254 via 192.168.1.254
    192.168.4.254 via 192.168.1.254

    Now I can't get internet access on LAN and OPT1 unless I create and Any Any rule. This also allows the 192.168.x.x to see the 172.16.16.x network and vice versa. My OT1 network is my DMZ.

    I am trying to create the following. I am happy for the 192.168.x.x to see devices on the 172.16.16.x network and have unrestricted internet access.

    I would like the 172.16.16.x network to not be able to communicate with anything on the 192.168.x.x network and have unrestricted internet access.

    Can anyone provide any help on getting this running. I have played around with so many rules and nothing seems to semi work apart from any any

    Thanks in advance.