Except for the allow filter (DMZ to WAN, allow everything), you must also NAT to WAN, assuming that DMZ subnets have private IPs.
That should be done on each DMZ. LAN rules/NAT comes as default, so you can "copy" them just changing output interface of the copy, and they will be auto-moved to the proper tabs. On Mon, Jun 26, 2017 at 4:32 PM, Jeppe Øland <jol...@gmail.com> wrote: > The thing is I couldn't figure out what rules are needed to get out to the > Internet! > > If I add no rules at all, then the PC can get a DHCP address, but it can't > even ping pfSense. > > I tried adding several rules (simultaneously), but didn't find anything to > allow me out to the Internet. > > Simply adding a "DMZnet -> WANnet" rule did not let me get out. > Adding the firewall specifically (since that is the GW it will go through) > did not help either. > (I tried a few more things in desperation, but nothing changed) > > Obviously the "DMZnet -> !LANnet" worked, but that doesn't block off all > the other DMZs :-( > > Regards, > -Jeppe > > > On Sun, Jun 25, 2017 at 8:28 PM, Leandro de la Paz <lean...@jovenclub.cu> > wrote: > > > Hi, it should be simple. pfsense deny all the traffic in the absence of > > any rules so it should be blocking all communication between DMZs by > > default. To allow the traffic to reach Internet, all you need to do is > > create a rule that permit the traffic that goes everywhere except to an > > alias that contains the private network (RFC1918) subnets. I recommend it > > that you do it at the floating rules tab, that way you may select several > > interfaces in one rule. However, you still may need to edit the rule > every > > time that new DMZ is added. > > > > --- > > Regards, > > Leandro > > > > En 25 jun. 2017 4:04 p. m., en 4:04 p. m., "Jeppe Øland" < > jol...@gmail.com> > > escribió: > > >Does anybody know how to do this more easily. > > > > > >Lets say I have 10 different isolated DMZs. > > >(They are created as VLANs on the "inside" interface so I can connect > > >servers to them). > > > > > >Now I want each VLAN to be able to get an IP address from a DHCP pool, > > >and > > >to hit the Internet. > > >Nothing else. > > >No DMZ<->DMZ or DMZ->LAN traffic. > > > > > >The default LAN rules allow me to hit each DMZ from the LAN, so that > > >part > > >is good. > > >The problem is getting each DMZ isolated from each other. > > > > > >The only thing I have working is to create 10 rules on each DMZ (to > > >block > > >access to the other DMZs and the LAN), and an accept "any" rule to be > > >able > > >to get out. > > > > > >I really don't like this as it's error prone. > > >If I add a new DMZ, I have to remember to add that rule to all the > > >others. > > > > > >Is there an easy set of rules I can make to allow the DMZ access to > > >only > > >its own net, and the Internet? > > > > > >Regards, > > >-Jeppe > > >_______________________________________________ > > >pfSense mailing list > > >https://lists.pfsense.org/mailman/listinfo/list > > >Support the project with Gold! https://pfsense.org/gold > > _______________________________________________ > > pfSense mailing list > > https://lists.pfsense.org/mailman/listinfo/list > > Support the project with Gold! https://pfsense.org/gold > > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
