Re: [pfSense] Multiple DMZs isolated from each other

2017-06-28 Thread Dimitri Alexandris
Except for the allow filter (DMZ to WAN, allow everything), you must also NAT to WAN, assuming that DMZ subnets have private IPs. That should be done on each DMZ. LAN rules/NAT comes as default, so you can "copy" them just changing output interface of the copy, and they will be auto-moved to the

Re: [pfSense] Multiple DMZs isolated from each other

2017-06-26 Thread Chris L
> On Jun 26, 2017, at 5:27 PM, Jeppe Øland wrote: > > Well, at least that matches what I found: That I can't get connections to > the internet working without allowing everything else too. > > That seems like a pretty bad design... It would be much better to be able > to

Re: [pfSense] Multiple DMZs isolated from each other

2017-06-26 Thread Jeppe Øland
Well, at least that matches what I found: That I can't get connections to the internet working without allowing everything else too. That seems like a pretty bad design... It would be much better to be able to allow something to just the WAN interface... On Mon, Jun 26, 2017 at 11:26 AM, Jim

Re: [pfSense] Multiple DMZs isolated from each other

2017-06-26 Thread Jim Spaloss
The rule(s) that allow internet access are the "Allow to Any" rule(s). This could be accomplished as one rule on a floating or interface group ruleset. (Allow any from any to any). The trick is to block the things that you don't want the DMZ to have access to first. I also use an alias to keep

Re: [pfSense] Multiple DMZs isolated from each other

2017-06-26 Thread Jeppe Øland
The thing is I couldn't figure out what rules are needed to get out to the Internet! If I add no rules at all, then the PC can get a DHCP address, but it can't even ping pfSense. I tried adding several rules (simultaneously), but didn't find anything to allow me out to the Internet. Simply

Re: [pfSense] Multiple DMZs isolated from each other

2017-06-25 Thread Leandro de la Paz
Hi, it should be simple. pfsense deny all the traffic in the absence of any rules so it should be blocking all communication between DMZs by default. To allow the traffic to reach Internet, all you need to do is create a rule that permit the traffic that goes everywhere except to an alias that

Re: [pfSense] Multiple DMZs isolated from each other

2017-06-25 Thread Jim Spaloss
I've got exactly this situation. My "tech bench" has 26 ports that are all completely isolated from each other, with a very strict outbound ruleset. This is to prevent an infected machine from infecting others on the bench. To simplify the rules for the interfaces, I added all of the DMZ