Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pseudo DMZ - rules for split DNS

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 147 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tech101admin
      last edited by

      In reference to this post:
      Firewall with WAN-LAN-DMZ Setup

      Realizing with a single public facing IP, a true DMZ isn't possible, I'm basically using port forwards to expose services on hosts hanging off an interface configure with a private RFC-1918 address. This works fine...the resources are accessibly externally.

      What I'm trying to figure out is a rule-base that would allow hosts on my internal LAN, a separate RFC-1918 private address space on a different internal interface, to access the DMZ services using my internal DNS (resolving to the RFC-1918 addresses for the hosts in the DMZ).

      My goal is to allow LAN devices to reach the hosts in the pseudo-DMZ subnet if the LAN device initiates the connection. However, I do not want a device in the pseudo-DMZ to be able to initiate a connection to a device in the LAN subnet. This is the challenge I'm trying to overcome. Does the PFSense Firewall support such a scenario that allows connectivity in one direction for "established" connections, yet block connection attempts in the other direction without an established connection?

      Hope I've not made this too confusing.

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.