Correct way to set up multiple DMZ's



  • This problem has been bugging me for a long time now :(

    The problem is when you add a rule to a dmz say:

    ICMP * * * * * none

    And you only want that DMZ network to be able to ping the internet.

    By adding this rule they can ping anything on any other DMZ/LAN too (in this example I use ping but it applies to any rule type)

    I know you can use the destination not function which works if you say not LAN but this doesn't seem to work very well using an  alias for all other networks.

    The only way I have found is to add a load of block rules at the top of each DMZ eg block LAN, block DMZ2, block DMZ3 but this is a bit messy and a PITA

    In other firewalls when you create a rule in the destination you can normally use External or something similar so that only traffic going out matches that rule and requests to other internal networks are then blocked by the default rule:

    ICMP * * External * * none

    Is there anyway to do something similar in PFsense?

    Thanks :)



  • In 2.0RC you have "Local subnets" as destination which you can easily NOT.
    What problems do you have with aliases? I would assume that an alias "all_here" can be NOTted as easily as what 2.0 gives me out of the box. Haven't tried it, though.



  • That would be perfect except I dont have a "local subnets" option :(

    I am on 2.0-RC3

    If I create an alias for all local subnets it seems to then block all outgoing traffic, probably because the default gateway would be included for that subnet, it may work if you create a few local subnet type groups excluding the one you are on for each DMZ but that is also messy :(



  • I've seen and using some devices with this notation, but those devices is usually have one thing in common.
    All the rules is in one list, there is no way to have rules by interface like pfsense does. that is really rude looking list when you have 50+ rules



  • That is very true but consider this:

    you have a WAN, LAN, OPT, DMZ, DMZ2

    You need to add a DMZ3

    So you add DMZ3 you add allow for HTTP, HTTPS so it can get out to the net then you need to add at least 5 x block rules to block DMZ3 to LAN, OPT, PPTP etc

    You also have to add 3 rules to stop access from DMZ3 to the HTTP/HTTPS/SSH PFsense management interface on DMZ3 (as the HTTP/HTTPS allow rules allow access to it!)

    Then you have to add a rule on each LAN, OPT, DMZ, DMZ2 to block access to DMZ3 so that's another 4 rules.

    So you are having to add 12 rules just to block access where if this option was available you would not need any :(

    When you start using a few OPT/DMZ/VLANS it becomes a nightmare to make sure everything is blocked correctly :(



  • If you're on 2.0 you can use a floating rule on all interfaces except DMZ3 to drop traffic to the DMZ3 subnet.

    For the internet ping, you could define an alias with all private subnets(priv_nets), 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16 and define a rule
    On DMZ3
    From any
    To NOT priv_nets
    Protocol icmp



  • Im sure I tried creating a priv_nets type group with all local subnets in but it then blocks all pings even to the WAN presumably because the gateway of the subnet you are on is included?



  • Floating rules may be an option ie create:

    Block LAN, OPT, DMZ, DMZ2 -> DMZ3
    Block LAN, OPT, DMZ, DMZ3 -> DMZ2
    Block LAN, OPT, DMZ2, DMZ3 -> DMZ
    Block LAN, DMZ, DMZ2, DMZ3 -> OPT
    Block DMZ, OPT, DMZ2, DMZ3 -> LAN

    Something like that?



  • @jp141:

    That would be perfect except I dont have a "local subnets" option :(
    I am on 2.0-RC3

    Well, sorry, looked it up in a test system running 2.0RC. Actually, this IS an alias I was refering to and not given from the system.

    The alias holds something like:
    10/8  & 192.168/16
    Could you use that? OK, your WAN gateway won't be pingable, but do you need that? Accessing external destinations should work this way.



  • I found in my testing it blocked all traffic simple example:

    wan 1.1.1.1
    lan 2.2.2.2
    opt 3.3.3.3

    local_subnets alias: 2.2.2.2, 3.3.3.3

    Rule: allow opt ping to not local_subnets

    I found this blocks all pings even to external :(



  • I don't think it's supposed to work like that, but maybe I'm missing something.
    Haven't used the floating rules myself but what you wrote sounds reasonable. Give it a try!



  • @jp141:

    Im sure I tried creating a priv_nets type group with all local subnets in but it then blocks all pings even to the WAN presumably because the gateway of the subnet you are on is included?

    It's L3 traffic so it shouldn't matter what local IP the gateway is on, unless you're doing a traceroute.

    I just ran a test on my local net, are you sure you've put a rule in below it to allow pings from any to any, or from DMZ3 to any?

    Config

    Logs



  • If you want to drop the number of those lines you can also make allow rule with !internal pings



  • Ok thanks I will test it out


Locked