Firewall Rules for DMZ Trouble



  • Hi,

    I'm trying to setup a DMZ on my virtualized instance of pfSense so that I can access a tt-rss instance remotely. I've followed the guide for setting up the DMZ here https://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5#Adding_a_DMZ. My network and firewall rules are as follows:

    LAN: 192.168.1.x /24
    DMZ: 192.168.2.x/24

    I can ping both interfaces from my LAN but I can ping only the DMZ interface from behind the DMZ. However, I cannot ping ( or ssh) any host behind the DMZ from a LAN host. I've tried using an allow all rule into the DMZ but this hasn't worked either. Ideally I just want ssh access into this DMZ host from the LAN side. The only rule I have on the DMZ interface is to allow traffic from the DMZ to everywhere but LAN net so that the DMZ hosts can get internet access. It is my understanding that the default allow all rule on the LAN side should allow access into the DMZ. Any ideas on what I have configured wrong?

    Thanks



  • Your LAN rules have gateways specified - that forces ALL traffic into the specified gateway/s (policy routing).
    If you have just a single WAN, then do not specify the gateway in those LAN rules - pfSense is smart enough to send IPv4 traffic through the IPv4 gateway and IPv6 traffic through the IPv6 gateway without you telling it ;)

    If you have/had multiple WANs and need to do load-balancing/failover of WANs, then you first put an ordinary pass rule sourceLANnet, destination DMZnet, to pass the traffic from LAN to DMZ without forcing it to any gateway. Then you put your policy-routing rules with specific gateway/s.


Log in to reply