• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[solved] DMZ via VLAN - would this work?

Scheduled Pinned Locked Moved Firewalling
2 Posts 1 Posters 5.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    ghm
    last edited by Nov 22, 2010, 4:52 PM Nov 8, 2010, 2:43 PM

    Hi,

    I'd like to get a sounding whether this config would work and get my a poor man's DMZish environment (I have a VLAN-capable "websmart" switch):

    Status quo: WAN <-> pfSense <- LAN/WLAN (bridged) [untagged]

    Target:       WAN <-> pfSense <- LAN/WLAN (bridged) [tagged VLAN ID 1 or untagged?]
                                             <-> DMZ [tagged VLAN ID 11]
                    where LAN/WLAN may see everything,
                             WAN may see DMZ but not LAN/WAN,
                             DMZ may see WAN but not LAN/WAN.

    I would normally create a new interface based on LAN but with VLAN 11 and call/assign that to DMZ. So that I get a new tab "DMZ" for the Firewall rules.

    Then I would create Firewall rules:

    LAN-Tab:     pass * Source:LAN-net * * * * (-> all destinations allowed - stays as is)
    WiFi unchanged (passes / bridged to LAN)
    DMZ-Tab:    block * * * * Dest: LAN * (-> all packets for destination LAN blocked)
                    pass * Source:DMZ-net * * WAN * (-> all packets from DMZ-subnet to WAN allowed - may be ok without Source arg?)
    WAN-Tab:   block [standard RFC1918 and Bogon rules]
                    block * * * * Dest: LAN * (-> all packets for destination LAN blocked)
                    pass [NAT induced firewall rules to open ports on DMS server] * * * * Dest: DMZ * (-> all NATted packets for DMZ pass)

    Ok, would of course also create a NAT for the ports to be opened on the DMZ server. I don't really want 1:1, just need a couple of ports. But I don't want that server to sit in my LAN and be able to mount LAN ressources.

    Questions:

    • Do I actually have to tag LAN or is it good enough to tag DMZ? I think I need to tag LAN as well but am not certain.
    • Do I under the DMZ tab actually have to state the Source? Why not just the destination given that the Firewall work inbound and the tab describes the IF anyway?
    • Does anything else here look clearly bad?

    Forgive me but I'm new to pfSense and would like to understand things better before I change things and then don't understand the effects :-)

    Thanks!

    1 Reply Last reply Reply Quote 0
    • G
      ghm
      last edited by Nov 21, 2010, 3:58 PM

      @ghm:

      Questions:

      • Do I actually have to tag LAN or is it good enough to tag DMZ? I think I need to tag LAN as well but am not certain.
      • Do I under the DMZ tab actually have to state the Source? Why not just the destination given that the Firewall work inbound and the tab describes the IF anyway?
      • Does anything else here look clearly bad?

      solved this using "pfSense - The Definitive Guide". Now I know that one should neither use PVID 1 nor the parent interface of a VLAN. Have LAN on PVID 2 now and DMZ on PVID 11.
      WiFi is unbridged now, even though bridged did not cause visible issues.

      Works :-)

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received