Hi, it should be simple. pfsense deny all the traffic in the absence of any rules so it should be blocking all communication between DMZs by default. To allow the traffic to reach Internet, all you need to do is create a rule that permit the traffic that goes everywhere except to an alias that contains the private network (RFC1918) subnets. I recommend it that you do it at the floating rules tab, that way you may select several interfaces in one rule. However, you still may need to edit the rule every time that new DMZ is added.
--- Regards, Leandro En 25 jun. 2017 4:04 p. m., en 4:04 p. m., "Jeppe Øland" <[email protected]> escribió: >Does anybody know how to do this more easily. > >Lets say I have 10 different isolated DMZs. >(They are created as VLANs on the "inside" interface so I can connect >servers to them). > >Now I want each VLAN to be able to get an IP address from a DHCP pool, >and >to hit the Internet. >Nothing else. >No DMZ<->DMZ or DMZ->LAN traffic. > >The default LAN rules allow me to hit each DMZ from the LAN, so that >part >is good. >The problem is getting each DMZ isolated from each other. > >The only thing I have working is to create 10 rules on each DMZ (to >block >access to the other DMZs and the LAN), and an accept "any" rule to be >able >to get out. > >I really don't like this as it's error prone. >If I add a new DMZ, I have to remember to add that rule to all the >others. > >Is there an easy set of rules I can make to allow the DMZ access to >only >its own net, and the Internet? > >Regards, >-Jeppe >_______________________________________________ >pfSense mailing list >https://lists.pfsense.org/mailman/listinfo/list >Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
