WAN and DMZ



  • Just a Question

    When you have a WAN and a BRIDGE to DMZ where do you put youre firewall rules? IN WAN or in DMZ ? Both? or does not matter because of the Bridge?


  • Rebel Alliance Developer Netgate

    With the default settings, you put the rules on the interface the traffic enters. So traffic from DMZ to the WAN would be filtered by the rules on the DMZ tab. Traffic from WAN to DMZ would be filtered by rules on the WAN tab.

    You can change the bridge filtering settings so that it filters on the actual bridge interface itself if you have it assigned, or both, or neither.



  • @jimp:

    With the default settings, you put the rules on the interface the traffic enters. So traffic from DMZ to the WAN would be filtered by the rules on the DMZ tab. Traffic from WAN to DMZ would be filtered by rules on the WAN tab.

    My apologies Jimp for probably sounding most stupid, but given what I made bold, shouldn't it be the other way around? (I admit, I am still struggling with it). It enters the WAN, so it should be filtered by rules on WAN, not on DMZ, no?

    (I feel so stupid  :-[)


  • Rebel Alliance Developer Netgate

    Traffic from the DMZ to the WAN enters the DMZ interface, so it is filtered by the rules on the DMZ interface.

    We're both saying the same thing, I don't see the conflict.



  • @jimp:

    Traffic from the DMZ to the WAN enters the DMZ interface, so it is filtered by the rules on the DMZ interface.
    We're both saying the same thing, I don't see the conflict.

    I don't want a conflict with you  ;D

    But the bold: I know I don't understand this, but if it goes from DMZ to WAN then it leaves DMZ and enters WAN, no? (I know it has to be 'no' since you write it, but my limited brain doesn't understand it. To me it spells like just the other way around).

    Thank you  ;D


  • Rebel Alliance Developer Netgate

    no, it enters DMZ and leaves WAN.

    Imagine a host on the DMZ trying to reach Google public DNS. DMZ is x.x.x.x, remote IP is 8.8.8.8

    packet leaves x.x.x.x, enters the firewall's DMZ interface, leaves the WAN interface going to the default gateway for the bridge subnet, and then on to 8.8.8.8

    So traffic coming from the DMZ enters the DMZ interface on the firewall.

    Logically you're a bit off. Traffic "leaving the DMZ" does not exit the DMZ interface, it enters the DMZ interface and leaves another. Imagine yourself sitting inside of the firewall. Traffic coming from the DMZ comes at you from the DMZ interface.


  • LAYER 8 Netgate

    From an interface's perspective:

    enter == receive
    leave == transmit


Log in to reply