Just need a few pointers with DMZ interface, everything else is working!



  • Hello, First time poster and installer and I’m dying here…

    (the struggle…) All I want to do is have interface re0 connect to one device, not share traffic with anyone else. (Well, DMZ it right?) I have tried configuring this but apparently it doesn’t jive with the rest of the setup? Heres what I have done.

    I have 3 of 4 interfaces working as planned.

    em0 : 1 WAN w/ DHCP connected to modem

    em1 : 1 Lan w/ static ip (DHCP from WAN I believe)

    em2 : connected to a router in access point mode (bridged to lan)

    re0 : the culprit, currently unassigned, does nothing.  :'(

    I tried these steps here, and here with no joy, and I am unsure of why this is :

    http://www.digitalphotomac.com/PFsense/DMZ/

    http://pfsensesetup.com/pfsense-setup-part-four-setting-up-a-dmz/#comments

    After that, I tried random bits of instruction, none of which worked…

    Currently I can plug the device I want DMZ’D into a leftover port of the WIFI AP router (which is bridged to the lan and it works like a charm) but I really would like to use the empty em0 port on the pfsense box to put it into its own DMZ with full access to the WAN internet and nothing else.

    Is there an easy way to accomplish this? Many Thanks!


  • Netgate Administrator

    Ok so you don't need a separate public IP on the DMZ machine? Are you running services on it that need to be internet accessible? 1:1 NAT or anything like that?

    If you just want to set it up as a separate subnet that has access to the internet but not the LAN it's quite easy.

    Assign and enable re0, it will probably appear as OPT1. Rename it DMZ or whatever if you wish.
    Configure it with type 'static' with a new subnet, 192.168.10/1/24 for example.
    Enable a DHCP server instance on the new interface.
    Now add appropriate firewall rules. So you might want a block rule at the top that blocks any traffic with source 'DMZ net' and destination 'LAN net'. Then below that an allow all rule to give access to the internet.
    That would still be a very permissive rule set so you might want either more or better refined rules.

    Steve



  • @stephenw10:

    Ok so you don't need a separate public IP on the DMZ machine? Are you running services on it that need to be internet accessible? 1:1 NAT or anything like that?

    If you just want to set it up as a separate subnet that has access to the internet but not the LAN it's quite easy.

    Assign and enable re0, it will probably appear as OPT1. Rename it DMZ or whatever if you wish.
    Configure it with type 'static' with a new subnet, 192.168.10/1/24 for example.
    Enable a DHCP server instance on the new interface.
    Now add appropriate firewall rules. So you might want a block rule at the top that blocks any traffic with source 'DMZ net' and destination 'LAN net'. Then below that an allow all rule to give access to the internet.
    That would still be a very permissive rule set so you might want either more or better refined rules.

    Steve

    Thanks for your detailed response Steve,  I will try this and report back,

    before I used those same rules but configured as static, and not adding it to DHCP since it was only one ip that would use the whole interface but I just want something that works, I will try this as soon as I can.

    I was poking at the dhcp server tab and wondering for the new dhcp interface should I set a different range than what I have set for the lan or can they be the same? Also should the new interface be set as static on the main page, with no gateway listed and then set in the range of DHCP? Just checking, Thanks so much again.


  • Netgate Administrator

    You can use static addressing if want. If you have only one DMZ client then that might be easier.

    If you use DHCP the DHCP server range has to be within the subnet that it's running on, which will be different to LAN.

    Yes, set the new interface as static in the main interface config page (Intefaces: DMZ:) and do not set a gateway there.

    Steve



  • Thank you stephen! I am not sure what I did differently but I was able to easily configure what I needed with your instruction, first with dhcp and then with static. You are a lifesaver.