Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rules for DMZ Trouble

    Firewalling
    2
    2
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fbearoff
      last edited by

      Hi,

      I'm trying to setup a DMZ on my virtualized instance of pfSense so that I can access a tt-rss instance remotely. I've followed the guide for setting up the DMZ here https://doc.pfsense.org/index.php/PfSense_2_on_VMware_ESXi_5#Adding_a_DMZ. My network and firewall rules are as follows:

      LAN: 192.168.1.x /24
      DMZ: 192.168.2.x/24

      I can ping both interfaces from my LAN but I can ping only the DMZ interface from behind the DMZ. However, I cannot ping ( or ssh) any host behind the DMZ from a LAN host. I've tried using an allow all rule into the DMZ but this hasn't worked either. Ideally I just want ssh access into this DMZ host from the LAN side. The only rule I have on the DMZ interface is to allow traffic from the DMZ to everywhere but LAN net so that the DMZ hosts can get internet access. It is my understanding that the default allow all rule on the LAN side should allow access into the DMZ. Any ideas on what I have configured wrong?

      Thanks

      1 Reply Last reply Reply Quote 0
      • P
        phil.davis
        last edited by

        Your LAN rules have gateways specified - that forces ALL traffic into the specified gateway/s (policy routing).
        If you have just a single WAN, then do not specify the gateway in those LAN rules - pfSense is smart enough to send IPv4 traffic through the IPv4 gateway and IPv6 traffic through the IPv6 gateway without you telling it ;)

        If you have/had multiple WANs and need to do load-balancing/failover of WANs, then you first put an ordinary pass rule sourceLANnet, destination DMZnet, to pass the traffic from LAN to DMZ without forcing it to any gateway. Then you put your policy-routing rules with specific gateway/s.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.