The thing is I couldn't figure out what rules are needed to get out to the Internet!
If I add no rules at all, then the PC can get a DHCP address, but it can't even ping pfSense. I tried adding several rules (simultaneously), but didn't find anything to allow me out to the Internet. Simply adding a "DMZnet -> WANnet" rule did not let me get out. Adding the firewall specifically (since that is the GW it will go through) did not help either. (I tried a few more things in desperation, but nothing changed) Obviously the "DMZnet -> !LANnet" worked, but that doesn't block off all the other DMZs :-( Regards, -Jeppe On Sun, Jun 25, 2017 at 8:28 PM, Leandro de la Paz <[email protected]> wrote: > Hi, it should be simple. pfsense deny all the traffic in the absence of > any rules so it should be blocking all communication between DMZs by > default. To allow the traffic to reach Internet, all you need to do is > create a rule that permit the traffic that goes everywhere except to an > alias that contains the private network (RFC1918) subnets. I recommend it > that you do it at the floating rules tab, that way you may select several > interfaces in one rule. However, you still may need to edit the rule every > time that new DMZ is added. > > --- > Regards, > Leandro > > En 25 jun. 2017 4:04 p. m., en 4:04 p. m., "Jeppe Øland" <[email protected]> > escribió: > >Does anybody know how to do this more easily. > > > >Lets say I have 10 different isolated DMZs. > >(They are created as VLANs on the "inside" interface so I can connect > >servers to them). > > > >Now I want each VLAN to be able to get an IP address from a DHCP pool, > >and > >to hit the Internet. > >Nothing else. > >No DMZ<->DMZ or DMZ->LAN traffic. > > > >The default LAN rules allow me to hit each DMZ from the LAN, so that > >part > >is good. > >The problem is getting each DMZ isolated from each other. > > > >The only thing I have working is to create 10 rules on each DMZ (to > >block > >access to the other DMZs and the LAN), and an accept "any" rule to be > >able > >to get out. > > > >I really don't like this as it's error prone. > >If I add a new DMZ, I have to remember to add that rule to all the > >others. > > > >Is there an easy set of rules I can make to allow the DMZ access to > >only > >its own net, and the Internet? > > > >Regards, > >-Jeppe > >_______________________________________________ > >pfSense mailing list > >https://lists.pfsense.org/mailman/listinfo/list > >Support the project with Gold! https://pfsense.org/gold > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
