Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic DMZ Configuration Help

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Paul Wiebelhaus
      last edited by

      Have configured home routers for years, but this is my first experience on PFSense 2.0.3. 3 NICs. WAN and LAN are running fine. I need to open ports for a Videophone. Right now what I need are simple instructions how to open a DMZ on Opt1 at 192.168.4.220. Have searched for hours and can't find the info. Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • B
        biggsy
        last edited by

        OPT1 will be just another interface but the LAN interface is the only one that's allowed to talk to everything by default.

        You'll need to set up rules on WAN to allow traffic from the outside world to DMZ and rules on DMZ to allow traffic to WAN and LAN.

        Hope that helps.

        1 Reply Last reply Reply Quote 0
        • P
          Paul Wiebelhaus
          last edited by

          If I'm understanding correctly, I'll need to define a rule for the DMZ from the WAN to the Opt and another rule from the Opt address out again. Right?

          The major problem here is I can't find an example of what must be extremely simple rules. Running my own experiments on my firewall looks like Russian Roulette.

          Anyone with suggestions how to enable a DMZ to a single address on Opt1?
          Thanks in advance.

          1 Reply Last reply Reply Quote 0
          • P
            Paul Wiebelhaus
            last edited by

            OK, so here's how I figured it out.

            First, I needed to get general Internet access for Opt1 (nothing was getting out). Here's what I found and what worked on that part:

            …I thought this was created by default but if not:
            If you look at the LAN tab, then the OPT1 tab they should look the same. 1 rule each.

            Select from the Menu: Firewall -> Rules then click the OPT1 tab. There should be 1 rule, which is the same as the under the LAN tab, except that it is named OPT1.
               *    OPT1 net    *    *    *    *    none         Default allow OPT1 to Any rule

            If not add it by clicking the little '+' sign in the small grey button to the right and it will open a rule form, 'e' to edit. 
            Select the following:
            Interface: 'OPT1'
            Protocol: 'Any'
            Source: 'OPT1 subnet' 
            Destination: 'Any'
            Description: 'Default allow OPT1 to Any rule' This will allow everything outbound.

            If there is a rule pointing to LAN you may want to remove this, or modify it to allow only the traffic to access particular services.

            Pasted from <http: forum.pfsense.org="" index.php?topic="47519.0">Next, I needed to, in effect, have a videophone sitting on a address specific DMZ. Here's what worked:

            Go to Firewall/ NAT
            Choose the Make New Rule Icon (grey box with the +) on the right side.
            Select:
            No RDR

            Interface WAN

            Protocol TCP/UDP

            Destination WAN
            (This isn't where it's going to, but where the outside world thinks it came from- the WAN side of your router.)

            Destination Port Range
            This can be precise or as large as you need it. In effect you can make it a DMZ.

            Redirect target IP
            THIS is where your device is located on your network. It's what is making the request and needing the info.

            Redirect target port
            Put the single port number- if it's a range of numbers, just put down the first and it internally adds the rest.

            Description
            Good thing to add here. A month from now you'll likely forget what it was about.

            This probably has a dollop or two of kludge in it, but it does work. Corrections or improvements altogether welcome.

            Paul</http:>

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              That works. In most cases you don't want systems in your DMZ to have general access to LAN (LAN is typically required to be better secured). So on OPT1 you would put a block rule at the top of the list, blocking source OPT1, destination LAN - or something similar. Then if a system in your DMZ is compromised from outside, the attacker can't use it to try and hop further in to your LAN. You might also want to block OPT1net to OPT1address to prevent access to the pfSense webGUI from a DMZ system.
              Also, you probably don't need all DMZ machines to get out to anywhere on the net, usually DMZ systems are providing services to things that connect in from WAN - up to you - but you can make the pass rule on OPT1 more restrictive, or even not have it at all.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • D
                dillbilly
                last edited by

                I'm having a related but nearly opposite issue. I've got a LAN and a DMZ interface, one assigned 172.16.0.1 the other 192.168.0.1, with rules in place on LAN to block all traffic from DMZ, but traffic is still passing freely between computers on the two network. I'm not understanding why it's automatically being routed.

                1 Reply Last reply Reply Quote 0
                • R
                  razzfazz
                  last edited by

                  You need to specify the rule on the incoming interface (assuming you're not using floating rules); i.e., if you want to filter traffic from DMZ to LAN, that rule would have to be on the DMZ interface, not on the LAN interface.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.