Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Easiest way to separate a network.

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      notaduck
      last edited by

      Hello guys. i have a DMZ NIC and a LAN nic and I really would like to limit the acces from DMZ to my LAN.
      What would be the easiest way to limit that and still allow SSH?

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        On DMZ interface put:

        1. Pass any specific things you want to allow with source DMZnet and destinations in LANnet.
        2. Block source any destination LANnet.
        3. then the other rules to allow DMZnet out to wherever you want to let it go.

        Sometimes you can achieve what you want by having an allow rule to destination !LANnet - letting the DMZ out to anywhere except LANnet. Personally I find it clearer to make separate pass rules for the allowed stuff followed by a more general block for everything else.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • N Offline
          notaduck
          last edited by

          Thanks. i tried to make a setup as you suggested because what i did earlier was way to over complicated i think..
          But it isn't working as expected. before it took 2 sec to make a SSH connection to the server and now it is taking 20 sec ?

          Selection_017.png
          Selection_017.png_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            You might want to let your DMZ hosts access DNS too.  And what is "WAN net?"  You realize that only passes/blocks traffic to the actual subnet on the WAN interface, not the internet in general.  If you want them to access the internet, you need to use any.

            You need to:

            Specifically pass local services you want DMZ to access, like DNS and certain services on LAN like AD, etc.
            Block access to less-specific destinations like "LAN net"
            Pass everything else (the internet).  Assuming you want your DMZ hosts to have unfettered internet access.

            And when you are dealing with traffic generated from inside your network, use reject, not block.  There is no reason not to give your internal hosts the benefits of NAK packets for denied traffic.  "Stealth" if applicable at all, only applies on your inbound WAN in most circumstances.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • P Offline
              phil.davis
              last edited by

              You should be able to SSH to something in LANnet with those rules.
              Note that you have made the SSH pass rule for just TCP - but that should be fine, I don't think there is any UDP in normal SSH use.

              The rules with destination WANnet are probably not what you wanted - WANnet is just the little subnet between your WAN interface and the ISP. So those rules will only allow (or block) traffic to that little subnet. To get to the whole public internet you need to have destination any "*".

              Then you will need to move your "Block any - LAN" rule up to be rule #2, you will want to block to LANnet before allowing out to everywhere.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • N Offline
                notaduck
                last edited by

                aaarh thanks ! i was locked out of my Wordpress site with this setup, but i wasnt allowed to access my website through port 443 ? gonna give it a tried again later ;)

                1 Reply Last reply Reply Quote 0
                • N Offline
                  notaduck
                  last edited by

                  So this should work right ?

                  Selection_019.png
                  Selection_019.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    DMZ hosts cannot access LAN hosts via TCP.  Yes.

                    That last rule is useless.  There's a default deny.

                    I still don't see DMZ hosts having access to DNS, which is probably where the original delays were coming from.

                    On DMZ interface put:

                    1. Pass any specific things you want to allow with source DMZnet and destinations in LANnet.
                    2. Block source any destination LANnet.
                    3. then the other rules to allow DMZnet out to wherever you want to let it go.

                    Specifically pass local services you want DMZ to access, like DNS and certain services on LAN like AD, etc.
                    Block access to less-specific destinations like "LAN net"
                    Pass everything else (the internet).  Assuming you want your DMZ hosts to have unfettered internet access.

                    Two different ways of saying the same thing:

                    Pass specific
                    Reject local less-specific,
                    Pass any.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • N Offline
                      notaduck
                      last edited by

                      DNS is enabled now with TCP/UDP and it is working thanks guys!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.