Log showing DMZ nic trying to let traffic for LAN go to WAN?

  • Not sure how to word that… lol

    Anyway is this normal?

    I have a LAN and a LAN2/DMZ

    I have block rules so they can not talk to eachother and its set to just drop the packet.

    However in the firewall logs I see traffic on interface LAN2/DMZ with source that should be on LAN1 trying to go to the WAN and it rejects it via defaul block.

    Both the LAN and LAN2 are on same physical network, but is that normal? I may be looking at this wrong? if they are diffrent subnets and its blocked how would traffic with a source of LAN end up on LAN2 trying to go online? I just not sure if its normal to see these logs and if a way to stop it? I do NOT want to turn off logging of the defaul block but dont want to see the LAN using the LAN2 to try to get online and it gets block by the default. It makes me thing I did something wrong...

    Also, any way to get dns forwarder to work on the DMZ/LAN2? Right now the only way clients on LAN2 can get online is if a direct dns server is hardcoded, but clients on the lan can just have the gateway set as the DNS and work...


  • Anyone? I am sure someone has 2 subnets on the same physical network now using PfSense?

  • Both the LAN and LAN2 are on same physical network


    Get yourself a second switch or a VLAN capable switch.
    Just dont use multiple subnets on the same broadcast domain.

  • Can't have on anything but same physical as otherwise I would need a 2 wires running to each endpoint on the network.

    VLAN would be nice but at the time we dont have the funds to replace the switches in place… :(

    Is this going to cause any problems leaving like this? In the future we will go for VLAN but right now just cant do, but rather not have to re-do everything in the future when we do get the right hardware so would this setup now be fine even with those messages?

  • Well the message basically just tells you that traffic which should not be there has been blocked :)
    Nothing serious.
    Just ignore it ^^"

    But having multiple subnets on the same physical layer is just really bad practice and only leads to problems.

Log in to reply