Automatic outbound NAT rules look like they are taking care of all that. The issue I have is that it doesn't seem optimal to have Internet access require "allow all". Too much margin for error in setting things up.
On Wed, Jun 28, 2017 at 12:22 PM, Dimitri Alexandris <d.alexand...@gmail.com > wrote: > Except for the allow filter (DMZ to WAN, allow everything), you must also > NAT to WAN, assuming that DMZ subnets have private IPs. > > That should be done on each DMZ. LAN rules/NAT comes as default, so you > can "copy" them just changing output interface of the copy, and they will > be auto-moved to the proper tabs. > > > On Mon, Jun 26, 2017 at 4:32 PM, Jeppe Øland <jol...@gmail.com> wrote: > > > The thing is I couldn't figure out what rules are needed to get out to > the > > Internet! > > > > If I add no rules at all, then the PC can get a DHCP address, but it > can't > > even ping pfSense. > > > > I tried adding several rules (simultaneously), but didn't find anything > to > > allow me out to the Internet. > > > > Simply adding a "DMZnet -> WANnet" rule did not let me get out. > > Adding the firewall specifically (since that is the GW it will go > through) > > did not help either. > > (I tried a few more things in desperation, but nothing changed) > > > > Obviously the "DMZnet -> !LANnet" worked, but that doesn't block off all > > the other DMZs :-( > > > > Regards, > > -Jeppe > > > > > > On Sun, Jun 25, 2017 at 8:28 PM, Leandro de la Paz <lean...@jovenclub.cu > > > > wrote: > > > > > Hi, it should be simple. pfsense deny all the traffic in the absence of > > > any rules so it should be blocking all communication between DMZs by > > > default. To allow the traffic to reach Internet, all you need to do is > > > create a rule that permit the traffic that goes everywhere except to an > > > alias that contains the private network (RFC1918) subnets. I recommend > it > > > that you do it at the floating rules tab, that way you may select > several > > > interfaces in one rule. However, you still may need to edit the rule > > every > > > time that new DMZ is added. > > > > > > --- > > > Regards, > > > Leandro > > > > > > En 25 jun. 2017 4:04 p. m., en 4:04 p. m., "Jeppe Øland" < > > jol...@gmail.com> > > > escribió: > > > >Does anybody know how to do this more easily. > > > > > > > >Lets say I have 10 different isolated DMZs. > > > >(They are created as VLANs on the "inside" interface so I can connect > > > >servers to them). > > > > > > > >Now I want each VLAN to be able to get an IP address from a DHCP pool, > > > >and > > > >to hit the Internet. > > > >Nothing else. > > > >No DMZ<->DMZ or DMZ->LAN traffic. > > > > > > > >The default LAN rules allow me to hit each DMZ from the LAN, so that > > > >part > > > >is good. > > > >The problem is getting each DMZ isolated from each other. > > > > > > > >The only thing I have working is to create 10 rules on each DMZ (to > > > >block > > > >access to the other DMZs and the LAN), and an accept "any" rule to be > > > >able > > > >to get out. > > > > > > > >I really don't like this as it's error prone. > > > >If I add a new DMZ, I have to remember to add that rule to all the > > > >others. > > > > > > > >Is there an easy set of rules I can make to allow the DMZ access to > > > >only > > > >its own net, and the Internet? > > > > > > > >Regards, > > > >-Jeppe > > > >_______________________________________________ > > > >pfSense mailing list > > > >https://lists.pfsense.org/mailman/listinfo/list > > > >Support the project with Gold! https://pfsense.org/gold > > > _______________________________________________ > > > pfSense mailing list > > > https://lists.pfsense.org/mailman/listinfo/list > > > Support the project with Gold! https://pfsense.org/gold > > > > > _______________________________________________ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
