[solved] DMZ via VLAN - would this work?



  • Hi,

    I'd like to get a sounding whether this config would work and get my a poor man's DMZish environment (I have a VLAN-capable "websmart" switch):

    Status quo: WAN <-> pfSense <- LAN/WLAN (bridged) [untagged]

    Target:       WAN <-> pfSense <- LAN/WLAN (bridged) [tagged VLAN ID 1 or untagged?]
                                             <-> DMZ [tagged VLAN ID 11]
                    where LAN/WLAN may see everything,
                             WAN may see DMZ but not LAN/WAN,
                             DMZ may see WAN but not LAN/WAN.

    I would normally create a new interface based on LAN but with VLAN 11 and call/assign that to DMZ. So that I get a new tab "DMZ" for the Firewall rules.

    Then I would create Firewall rules:

    LAN-Tab:     pass * Source:LAN-net * * * * (-> all destinations allowed - stays as is)
    WiFi unchanged (passes / bridged to LAN)
    DMZ-Tab:    block * * * * Dest: LAN * (-> all packets for destination LAN blocked)
                    pass * Source:DMZ-net * * WAN * (-> all packets from DMZ-subnet to WAN allowed - may be ok without Source arg?)
    WAN-Tab:   block [standard RFC1918 and Bogon rules]
                    block * * * * Dest: LAN * (-> all packets for destination LAN blocked)
                    pass [NAT induced firewall rules to open ports on DMS server] * * * * Dest: DMZ * (-> all NATted packets for DMZ pass)

    Ok, would of course also create a NAT for the ports to be opened on the DMZ server. I don't really want 1:1, just need a couple of ports. But I don't want that server to sit in my LAN and be able to mount LAN ressources.

    Questions:

    • Do I actually have to tag LAN or is it good enough to tag DMZ? I think I need to tag LAN as well but am not certain.
    • Do I under the DMZ tab actually have to state the Source? Why not just the destination given that the Firewall work inbound and the tab describes the IF anyway?
    • Does anything else here look clearly bad?

    Forgive me but I'm new to pfSense and would like to understand things better before I change things and then don't understand the effects :-)

    Thanks!



  • @ghm:

    Questions:

    • Do I actually have to tag LAN or is it good enough to tag DMZ? I think I need to tag LAN as well but am not certain.
    • Do I under the DMZ tab actually have to state the Source? Why not just the destination given that the Firewall work inbound and the tab describes the IF anyway?
    • Does anything else here look clearly bad?

    solved this using "pfSense - The Definitive Guide". Now I know that one should neither use PVID 1 nor the parent interface of a VLAN. Have LAN on PVID 2 now and DMZ on PVID 11.
    WiFi is unbridged now, even though bridged did not cause visible issues.

    Works :-)


Log in to reply