Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access only to the Internet and not to the DMZ. How to do?

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 628 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      darkcorner
      last edited by

      How do I address the rules only on the Internet and not on LAN or DMZ?
      For example, Ping on everything on the Internet and only this.

      • LAN interface
      • Protocol: TCP - ICMP / Echo request
      • From: LAN Net
      • To: Any

      But, in this way I can also PING on what is in the DMZ and I don't want to allow this.
      If I use WAN Net I refer instead to what is between the router and the pfSense NIC WAN.

      I gave the example of PING, but it could be a Web access, FTP, or any other type. I want a PC to be able to do this by going to the Internet, but not to internal servers.

      The only way I can conceive is to make a rule towards everything and immediately after a rule that blocks towards the DMZ, but I would have to duplicate practically everything.

      V D 2 Replies Last reply Reply Quote 0
      • V Offline
        viragomann @darkcorner
        last edited by

        @darkcorner
        When you're are using IPv4 private networks inside, best practice is to add an RFC 1918 alias as described here: https://docs.netgate.com/pfsense/en/latest/recipes/rfc1918-egress.html

        Then edit your pass rule, at destination check "invert", select alias and enter the alias name.
        So this rule allows any destination, but the networks stated in the alias.

        You may also add a block rule with the alias at the top of your rule set instead.

        However, consider that this still enables access to pfSense public WAN IP. To block that you can add a block with "This firewall" as destination.

        1 Reply Last reply Reply Quote 0
        • D Offline
          dma_pf @darkcorner
          last edited by

          @darkcorner said in Access only to the Internet and not to the DMZ. How to do?:

          But, in this way I can also PING on what is in the DMZ and I don't want to allow this.

          Youl'll need to create a block rule on the LAN like this:

          LAN interface
          Protocol: TCP - ICMP / Echo request
          From: LAN Net
          To: DMZ Net

          Then place it immediately above the allow rule you created.

          V 1 Reply Last reply Reply Quote 0
          • D Offline
            darkcorner
            last edited by

            I'm testing your suggestions tomorrow.
            Meanwhile, now I do a first global configuration

            1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann @dma_pf
              last edited by

              @dma_pf said in Access only to the Internet and not to the DMZ. How to do?:

              Youl'll need to create a block rule on the LAN like this:

              LAN interface
              Protocol: TCP - ICMP / Echo request
              From: LAN Net
              To: DMZ Net

              For general blocking, it will be more secure to set the source to "any". Can't see any sense to state the subnet here at all.

              1 Reply Last reply Reply Quote 2
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.