I've got exactly this situation. My "tech bench" has 26 ports that are all completely isolated from each other, with a very strict outbound ruleset. This is to prevent an infected machine from infecting others on the bench.
To simplify the rules for the interfaces, I added all of the DMZ interfaces to an interface group. I also created one alias that includes each of the DMZ interfaces. I added firewall rules against the interface group, denying LAN, VPNs, etc.. Then a firewall rule denying access to the DMZ alias (to isolate the DMZs). Finally, I added allow rules to let the DMZ interfaces out. If I add a new DMZ, all I have to do is add the interface, add it to the interface group and the alias. The alias has other benefits as well when creating rules on other interfaces. On Jun 25, 2017 4:05 PM, "Jeppe Øland" <[email protected]> wrote: > Does anybody know how to do this more easily. > > Lets say I have 10 different isolated DMZs. > (They are created as VLANs on the "inside" interface so I can connect > servers to them). > > Now I want each VLAN to be able to get an IP address from a DHCP pool, and > to hit the Internet. > Nothing else. > No DMZ<->DMZ or DMZ->LAN traffic. > > The default LAN rules allow me to hit each DMZ from the LAN, so that part > is good. > The problem is getting each DMZ isolated from each other. > > The only thing I have working is to create 10 rules on each DMZ (to block > access to the other DMZs and the LAN), and an accept "any" rule to be able > to get out. > > I really don't like this as it's error prone. > If I add a new DMZ, I have to remember to add that rule to all the others. > > Is there an easy set of rules I can make to allow the DMZ access to only > its own net, and the Internet? > > Regards, > -Jeppe > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
