Do I need a DMZ ? a VLAN ? (only 2 physical interfaces)



  • Hi, I have a computer running pfSense firewall only, with 2 physical Ethernet interfaces (1 LAN, 1 WAN).

    Every LAN computers behind the firewall transparently access to the internet via OpenVPN.
    An OpenVPN client is configured in pfSense to access to a VPN server service transparently.
    (If the VPN service goes down, I even have a pfSense rule which automatically disable Internet access from the LAN).
    Everything works fine.

    Now the problem:
    I have a new computer which needs to access to the internet directly (without OpenVPN) from behind the firewall.
    Of course, I don't want to turn off OpenVPN which is used by the LAN computers behind the firewall.

    How should I proceed??
    Do I need to create a DMZ and put this new computer in it?
    Do I need a VLAN? (I remind you that I only have 2 physical Ethernet interfaces)

    Moreover, if the VPN service for LAN computers goes down, I don't want this new computer not to be able to access to the internet too.

    I would be grateful if someone could give me the step by step procedure to follow.

    Thank you & Happy New Year!



  • Give that special computer a static-mapped DHCP address, so it always gets the same IP in LAN - "special LAN IP".
    Put a rule at the top of LAN that says source "special LAN IP", destination !LANnet, gateway WAN_GW
    That should direct traffic from that special IP to WAN, and all the rest can continue to follow the rules you have lower down for directing stuff to OpenVPN…



  • @phil.davis:

    Give that special computer a static-mapped DHCP address, so it always gets the same IP in LAN - "special LAN IP".

    Ok, I have given this special computer a static IP address.
    Can I put this new computer in the same LAN as the others?
    @phil.davis:

    Put a rule at the top of LAN that says source "special LAN IP", destination !LANnet, gateway WAN_GW

    Ok, so you mean "Firewall,Rules,LAN" and then I create a rule for this special computer IP before the others LAN computers rules, right?
    If yes, what do you mean by "!LANnet". Is it a special net I have to create? If yes, where in the menus?
    And "gateway WAN_GW"? Should I create a Gateway somewhere in the menus?
    Thank you Phil!



  • Yes, the computer stays in the ordinary LAN with the others - it just has a fixed known IP that makes it easy to match in a rule.

    create a rule for this special computer IP before the others LAN computers rules

    Yes

    If yes, what do you mean by "!LANnet". Is it a special net I have to create? If yes, where in the menus?

    I mean, in the rule destination select LANnet from the dropdown list, and check the "not" checkbox.
    You do not want traffic from "special LAN IP" that is going to the pfSense LAN itself to be forced out WAN_GW

    And "gateway WAN_GW"? Should I create a Gateway somewhere in the menus?

    In the advanced section of rule definition there is a "Gateway" row - open that up and pick WAN_GW. That will force the matching traffic out WAN.


Log in to reply