Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ can't get out to wan

    Scheduled Pinned Locked Moved
    Firewalling
    3
    6
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4
      4evernoob
      last edited by

      Odd.

      This does not work:
      ID  Proto    Source    Port Destination Port Gateway Queue Schedule Description
            IPv4 *  DMZ net  *    WAN net    *    *          none

      This does:
      ID  Proto    Source    Port Destination Port Gateway Queue Schedule Description
            IPv4 *  DMZ net  *        *              *    *          none

      OPT1 = DMZ
      Outbound NAT set to auto.
      No gateway set on DMZ
      WAN = pppoe

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        The first rule will only allow traffic to addresses on WAN net, not anything beyond (ie out on the internet).

        The second rule allows traffic to *, so it's handed to the routing table and sent off to its destination via the default gateway.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • 4
          4evernoob
          last edited by

          So I was thinking that the * would allow access to everything as in LAN and firewall itself. Is that not the case?

          1 Reply Last reply Reply Quote 0
          • V
            vindenesen
            last edited by

            @4evernoob:

            So I was thinking that the * would allow access to everything as in LAN and firewall itself. Is that not the case?

            • on destination gives access to everything, as in all local and remote networks. In your case, it will give access to all addresses on LAN, WAN and even management ports on your firewall (which you probably shouldn't do).

            If you want the DMZ-network to get access to WAN, and only that, you can use this method:

            • Create an alias containing all your local networks, call it something like "Local_networks". This alias will then include your LAN and DMZ-network. In addition, you should add your WAN IP address also.

            • Create a rule on the DMZ interface, set destination to "not Local_networks"

            Support the project by buying a Gold Subscription at https://portal.pfsense.org
            Running pfSense on SuperMicro A1SRI-2758F with ESXi 5.5

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Here's how I do my guest Wi-Fi.

              ![Screen Shot 2014-08-02 at 11.05.54 AM.png](/public/imported_attachments/1/Screen Shot 2014-08-02 at 11.05.54 AM.png)
              ![Screen Shot 2014-08-02 at 11.05.54 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-08-02 at 11.05.54 AM.png_thumb)

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • 4
                4evernoob
                last edited by

                Oh I see, thanks guys.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.