Basic DMZ Configuration Help
-
Have configured home routers for years, but this is my first experience on PFSense 2.0.3. 3 NICs. WAN and LAN are running fine. I need to open ports for a Videophone. Right now what I need are simple instructions how to open a DMZ on Opt1 at 192.168.4.220. Have searched for hours and can't find the info. Thanks in advance.
-
OPT1 will be just another interface but the LAN interface is the only one that's allowed to talk to everything by default.
You'll need to set up rules on WAN to allow traffic from the outside world to DMZ and rules on DMZ to allow traffic to WAN and LAN.
Hope that helps.
-
If I'm understanding correctly, I'll need to define a rule for the DMZ from the WAN to the Opt and another rule from the Opt address out again. Right?
The major problem here is I can't find an example of what must be extremely simple rules. Running my own experiments on my firewall looks like Russian Roulette.
Anyone with suggestions how to enable a DMZ to a single address on Opt1?
Thanks in advance. -
OK, so here's how I figured it out.
First, I needed to get general Internet access for Opt1 (nothing was getting out). Here's what I found and what worked on that part:
…I thought this was created by default but if not:
If you look at the LAN tab, then the OPT1 tab they should look the same. 1 rule each.Select from the Menu: Firewall -> Rules then click the OPT1 tab. There should be 1 rule, which is the same as the under the LAN tab, except that it is named OPT1.
* OPT1 net * * * * none Default allow OPT1 to Any ruleIf not add it by clicking the little '+' sign in the small grey button to the right and it will open a rule form, 'e' to edit.
Select the following:
Interface: 'OPT1'
Protocol: 'Any'
Source: 'OPT1 subnet'
Destination: 'Any'
Description: 'Default allow OPT1 to Any rule' This will allow everything outbound.If there is a rule pointing to LAN you may want to remove this, or modify it to allow only the traffic to access particular services.
Pasted from <http: forum.pfsense.org="" index.php?topic="47519.0">Next, I needed to, in effect, have a videophone sitting on a address specific DMZ. Here's what worked:
Go to Firewall/ NAT
Choose the Make New Rule Icon (grey box with the +) on the right side.
Select:
No RDRInterface WAN
Protocol TCP/UDP
Destination WAN
(This isn't where it's going to, but where the outside world thinks it came from- the WAN side of your router.)Destination Port Range
This can be precise or as large as you need it. In effect you can make it a DMZ.Redirect target IP
THIS is where your device is located on your network. It's what is making the request and needing the info.Redirect target port
Put the single port number- if it's a range of numbers, just put down the first and it internally adds the rest.Description
Good thing to add here. A month from now you'll likely forget what it was about.This probably has a dollop or two of kludge in it, but it does work. Corrections or improvements altogether welcome.
Paul</http:>
-
That works. In most cases you don't want systems in your DMZ to have general access to LAN (LAN is typically required to be better secured). So on OPT1 you would put a block rule at the top of the list, blocking source OPT1, destination LAN - or something similar. Then if a system in your DMZ is compromised from outside, the attacker can't use it to try and hop further in to your LAN. You might also want to block OPT1net to OPT1address to prevent access to the pfSense webGUI from a DMZ system.
Also, you probably don't need all DMZ machines to get out to anywhere on the net, usually DMZ systems are providing services to things that connect in from WAN - up to you - but you can make the pass rule on OPT1 more restrictive, or even not have it at all. -
I'm having a related but nearly opposite issue. I've got a LAN and a DMZ interface, one assigned 172.16.0.1 the other 192.168.0.1, with rules in place on LAN to block all traffic from DMZ, but traffic is still passing freely between computers on the two network. I'm not understanding why it's automatically being routed.
-
You need to specify the rule on the incoming interface (assuming you're not using floating rules); i.e., if you want to filter traffic from DMZ to LAN, that rule would have to be on the DMZ interface, not on the LAN interface.