Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
DMZ Firewall rules driving me crazy
« previous
next »
Print
Pages: [
1
]
Author
Topic: DMZ Firewall rules driving me crazy (Read 1844 times)
christianholz
Newbie
Posts: 1
Karma: 0
DMZ Firewall rules driving me crazy
«
on:
November 19, 2019, 05:23:46 pm »
Hi Opnsense wizards,
I am slowly losing steam with Opnsense and wonder if I have to go back to pfsense, where I never had this problem... But maybe I am just overseeing something obvious?
I am running OPNsense 19.7.6-amd64 and I have three NICs on my device. One is bound to the external GW, one to the LAN and one is my DMZ. So far so good. I can access the Internet from both the LAN and DMZ networks, I can access the DMZ from the LAN (also as expected), but I cannot prohibit connections from DMZ to LAN. The latter is absolutely necessary for me, otherwise it is not a DMZ.
I have tried the following:
- Added a rule on the DMZ interface, type "Block" direction out with the destination being the whole LAN network (/24) and the rest pretty much any/any as suggested by Opnsense.
- Added a rule on the LAN interface, type "Block" where the source is the DMZ network (also /24).
- At this point there are no exceptions defined; i.e. no other firewall rules. All of the rules are "first match".
With this, I still have bidirectional connectivity between LAN and DMZ and I don't understand why. I have flushed the states table and rebooted the firewall multiple times without any results.
What I am trying to get is:
- Both LAN and DMZ can talk to the Internet
- LAN can talk to everything on all ports in the DMZ
- DMZ can talk to a single IP in LAN via SSH only
- OpenVPN terminates in LAN with the aforementioned access as LAN (this seems to work)
Anything that could be wrong here?
Thanks for any hints...
Christian
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
DMZ Firewall rules driving me crazy