Subnet with no firewall



  • Hi,

    I am using Smoothwall at the moment. I would like to set up a router/firewall with two subnets, one for my trusted LAN, fully firewalled and one that is not firewalled at all (a DMZ as I understand it) for gaming consoles. The two would not need to talk to each other. This would be done with two separate NICs.

    I cannot do this with Smoothwall because the 'orange' or DMZ is fully firewalled.

    Could I use pfsense to achieve this?

    Thanks  :)



  • Yes.
    Just add rules on your DMZ interface that allow everything.
    But could you elaborate on what you are trying to achieve?
    Because even in a DMZ just allowing everything is usually not such a good idea.



  • Sure, (thanks for the quick reply!)

    My home network consists of about 6 machines which I need firewalled, MythTV, desktops, media servers & laptops. They need to be able to talk to each other, but very few port forwards are needed.

    But there are also gaming consoles, PS3, DS, Wii, PSP etc. two of each with some. Some of these need many ports open and because of the duplicate consoles, sometimes the same ports at different times. Gaming forums seem to suggest puting consoles in un-firewalled DMZ is best and this seems to make sense.

    The PS3s use uPnP which as I understand gets round port problems but it would still be good to have a completely un-firewalled subnet for gaming consoles, allowing me to keep port forwards to a minimum on my 'main' subnet and getting round the problem of only being able to open ports to a single ip.

    Thanks again



  • Hi, I have installed pfsense and made a firewall rule like this:

    Proto    source    port    destination    port    gateway    Schedule    Description
    *        *          *        DMZ            *        *                            DMZ

    Is that all I need to do to create an un firewalled DMZ or do I need to add something to the NAT section too? (like with port forwards)

    Thanks



  • NAT is used for original inbound traffic. You don't need that.
    Your destination is wrong, unless you only want to pass packets that travel from DMZ to DMZ.
    Destination should be '*' as well.



  • Proto    source    port    destination    port    gateway    Schedule    Description
    *        *          *        *                *        *                              DMZ

    So setting the above for an interface ('Choose on which interface packets must come in to match this rule.') will mean that interface is no longer firewalled.

    Thanks :)

    PS. It's also worth mentioning, in case anyone uses this, that it would be important to stop the above interface 'talking' to the LAN like this:

    Proto    source    port    destination    port    gateway    Schedule    Description
    *        DMZ net  *        ! LAN net      *        *                              Permit DMZ to any BUT LAN


Locked