Easiest way to separate a network.



  • Hello guys. i have a DMZ NIC and a LAN nic and I really would like to limit the acces from DMZ to my LAN.
    What would be the easiest way to limit that and still allow SSH?



  • On DMZ interface put:

    1. Pass any specific things you want to allow with source DMZnet and destinations in LANnet.
    2. Block source any destination LANnet.
    3. then the other rules to allow DMZnet out to wherever you want to let it go.

    Sometimes you can achieve what you want by having an allow rule to destination !LANnet - letting the DMZ out to anywhere except LANnet. Personally I find it clearer to make separate pass rules for the allowed stuff followed by a more general block for everything else.



  • Thanks. i tried to make a setup as you suggested because what i did earlier was way to over complicated i think..
    But it isn't working as expected. before it took 2 sec to make a SSH connection to the server and now it is taking 20 sec ?



  • Netgate

    You might want to let your DMZ hosts access DNS too.  And what is "WAN net?"  You realize that only passes/blocks traffic to the actual subnet on the WAN interface, not the internet in general.  If you want them to access the internet, you need to use any.

    You need to:

    Specifically pass local services you want DMZ to access, like DNS and certain services on LAN like AD, etc.
    Block access to less-specific destinations like "LAN net"
    Pass everything else (the internet).  Assuming you want your DMZ hosts to have unfettered internet access.

    And when you are dealing with traffic generated from inside your network, use reject, not block.  There is no reason not to give your internal hosts the benefits of NAK packets for denied traffic.  "Stealth" if applicable at all, only applies on your inbound WAN in most circumstances.



  • You should be able to SSH to something in LANnet with those rules.
    Note that you have made the SSH pass rule for just TCP - but that should be fine, I don't think there is any UDP in normal SSH use.

    The rules with destination WANnet are probably not what you wanted - WANnet is just the little subnet between your WAN interface and the ISP. So those rules will only allow (or block) traffic to that little subnet. To get to the whole public internet you need to have destination any "*".

    Then you will need to move your "Block any - LAN" rule up to be rule #2, you will want to block to LANnet before allowing out to everywhere.



  • aaarh thanks ! i was locked out of my Wordpress site with this setup, but i wasnt allowed to access my website through port 443 ? gonna give it a tried again later ;)



  • So this should work right ?



  • Netgate

    DMZ hosts cannot access LAN hosts via TCP.  Yes.

    That last rule is useless.  There's a default deny.

    I still don't see DMZ hosts having access to DNS, which is probably where the original delays were coming from.

    On DMZ interface put:

    1. Pass any specific things you want to allow with source DMZnet and destinations in LANnet.
    2. Block source any destination LANnet.
    3. then the other rules to allow DMZnet out to wherever you want to let it go.

    Specifically pass local services you want DMZ to access, like DNS and certain services on LAN like AD, etc.
    Block access to less-specific destinations like "LAN net"
    Pass everything else (the internet).  Assuming you want your DMZ hosts to have unfettered internet access.

    Two different ways of saying the same thing:

    Pass specific
    Reject local less-specific,
    Pass any.



  • DNS is enabled now with TCP/UDP and it is working thanks guys!