Preventing traffic from reaching LAN from DMZ, but not to WAN

  • Dear All,

    I have a simple question. How do I stop HTTP/HTTP/DNS traffic from going from my DMZ to my LAN and other OPT subnets but still allowing it to access the Internet through the WAN (without putting in even more rules to block traffic).

  • Hello!

    If you only have LAN and DMZ then you could do that without adding more rules.
    Just put "Not LAN Net" into destination on your existing rules.

    But if you have LAN, DMZ and more OPT interface you need one block rule for each interface at the top of the list.
    Rule    Proto   Source    Port   Dest      Port   GW   Queue   Sch   Descr
    Block   *         DMZ net *       LAN net *        *      none             Block all traffic to LAN
    Block   *         DMZ net *       OPT net *        *      none             Block all traffic to OPT


  • You can also use aliases to cut them down to one rule in then rules tab.
    (Had to use two posts because of the pictures)

  • Here's what the final rule will look like in the firewall rules.

  • Excellent, thank you both very much.

Log in to reply