Controlling outgoing interfaces



  • Hi all,

    I'm trying to set up some rules for my DMZ and am having a bit of trouble getting it to work.

    The pfSense box I'm configuring has 3 interfaces - DMZ, LAN and WAN.  How do I configure a rule so that DMZ hosts can ping the internet, but not ping any host attached to the LAN?

    Please note that my LAN interface has several subnets behind it, so I can't just block LAN subnet.

    Also in a similar vain, how would I go about allowing anyone connected to the LAN interface access to port 80 on the internet (WAN interface), but not port 80 on any hosts connected to the DMZ interface?

    I really appreciate the help everyone, thank you :)



  • Well most create an alias with all your subjects subnets and set up a rule to block it. You can also setup an alias with all private nets (10.0.0.0/8, 172.16.0.0/16, 192.168.0.0/16) and block that. These block rule go above any allow rules you are using as default. If you want access to some of those resources then add pass rules above the blocks. Unles you have reflection on LAN will always try to go to the Internet unless it can route locally.



  • That makes sense, thank you for your reply :)


Locked