Allow DMZ to Internet (WAN)

[morphxyz]

Heya.

I can't believe I have to ask this but here we are.
I have read through https://docs.opnsense.org/manual/firewall.html
I have a DMZ vlan and interface.
When I configure following rule:

Interface: DMZ
Direction: in
Source: DMZ net
Destination: any

DMZ can access the internet.
Now when I change Destination to "WAN net", The traffic is blocked by a default rule.
What could be the cause for this issue?
I want clients in the DMZ net to be able to access the internet.
Is this possible with a single rule?

I sit in a /26 subnet from my provider.
Does my rule limit access to said subnet?
What's the best approach? Allow DMZ to any and block all other nets specifically?

[Patrick M. Hausen]

WAN net is the network directly attached to your WAN interface. The Internet is always "any".

[morphxyz]

Thanks for the clarification!

But when I choose "any" I can access my other vlan subnets.
Does that mean I have to deny DMZ on all other networks?

Or what's the best approach?

[Patrick M. Hausen]

Either place a

destination: all other networks
action: deny

rule above your "allow" rule or use destination invert in that allow rule, e.g. combined with an alias like "rfc1918" containing all those private networks. You still might need an extra rule to permit DNS, so I prefer to go with a "deny to what I want to protect" followed by an "allow any".

Another way can be to explicitly set the upstream gateway in the allow rule, so any packet will be forwarded out to the Internet.

It all depends on your preference and your exact topology.

HTH,
Patrick

[morphxyz]

Thank you for your recommendations

It works!