pfSense DMZ – The Complete Guide

I will show you how to set up your pfSense DMZ step-by-step and explain what is important. A DMZ is usually created if you want a more restrictive outside-facing part of your network that is separated from your internal network. A Web server would be a good example of this. You want the Web server to be reachable from the Internet, but you don’t want anyone from the Internet to be able to also access your internal network.

For this tutorial, we are using our lab pfSense running on VirtualBox. The firewall has 3 interfaces. One will be our WAN, one our LAN, and one our DMZ interface.

Table of Contents

👀 This Tutorial has some related Articles!
👉 The Complete pfSense Fundamentals Bootcamp
👉 Install pfSense from USB – The Complete Guide
👉 Install pfSense on VirtualBox
👉 The Complete pfSense OpenVPN Guide
👉 The Complete pfSense DMZ Guide
👉 Generate SSL Certificates for HTTPS with pfSense
👉 The Complete pfSense Squid Proxy Guide (with ClamAV!)
👉 pfSense Site-to-Site VPN Guide
👉 pfSense Domain Overrides Made Easy
👉 pfSense Strict NAT (PS4,PS5,Xbox,PC) Solution
👉 The Best pfSense Hardware
👉 Traffic Shaping VOIP with pfSense
👉 pfSense OpenVPN on Linux – Setup Guide
👉 pfSense Firewall Rule Aliases Explained
👉 Email Notifications with pfSense
👉 pfSense DNS Server Guide

Install OpenVPN on pfSense - The Co...
Install OpenVPN on pfSense - The Complete Step-by-Step Guide

Requirements

If you are using VirtualBox to follow this tutorial, your settings should look like this:

pfSense DMZ
Network interfaces overview

You should have one Interface set as Bridged to simulate your WAN, one in intnet1 and one in intnet2. To create a new intnet, just type in the name field after choosing Internal Network and it will be created.  So let’s put it together:

  • Bridged Interface – Our WAN
  • Internal Network ‘intnet’ – Our LAN
  • Internal Network ‘intnet2’ – Our DMZ

Naturally, you need 2 additional VMs to test everything, one connected to intnet and one to intnet2. You could use Ubuntu for that purpose. If you are running a physical pfSense appliance, you naturally also need at least 3 network interfaces to create a DMZ.

Step 1 – Creating a DMZ interface

Login to your pfSense dashboard and navigate to Interfaces -> Assignments. If you followed my recommendation of creating 3 interfaces in VirtualBox, you should see something along those lines. Click on +Add to add our DMZ interface.

Creating a DMZ on pfSense
Creating our DMZ interface

Click on Save after the OPT1 interface was created and click on OPT1 to configure it.

  1. Check Enable interface
  2. Change the interface name to DMZ
  3. Select Static IPv4
  4. Set whatever IP Address you want
  5. Assign a Subnet Mask
  6. Click on Save
  7. Click on Apply Changes
Creating a DMZ on pfSense
Configuring the interface

Back on Interfaces -> Assignments, we can now see that the DMZ interface was created.

Creating a DMZ on pfSense
Checking that the interfaces were created

⚠️ If you would like to learn more about pfSense, I highly recommend you check out my pfSense Fundamentals Bootcamp over at Udemy. This is the most up-to-date as well as the highest-rated pfSense course on Udemy.

Step 2 – Enabling DHCP on the DMZ interface

Now, this is somewhat optional, as it depends on if you need DHCP on your DMZ or if all your devices have a static IP. For our example, we are going to use DHCP.

Navigate to Services -> DHCP Server and select the DMZ Interface.

  1. Check Enable DHCP server on DMZ interface
  2. Set a DHCP Range
  3. Click Save on the bottom
Create DMZ on pfSense
Configuring DHCP on the DMZ

Alright, now that we have that setup, we can go ahead and adjust the firewall rules.

Step 3 – Configuring Firewall Rules

When you create a new interface, it always comes without any rules, meaning all traffic is blocked by default.

Create DMZ on pfSense
Creating Firewall Rules in the DMZ

We can verify this by trying to ping google from the VM on intnet2(DMZ). Naturally, the ping will fail because both, DNS and ICMP are blocked.

DMZ pfSense
Ping fails

This means, that nothing will get In or Out of your DMZ.

To verify this, we can go ahead and create 2 Firewall Rules – One for DNS and one for ICMP(Ping).

Under Firewall -> Rules -> DMZ click on Add (Arrow Up) to create a new rule.

DMZ pfSense
Creating an allow ICMP rule

Click on Add again to create the DNS rule.

Creating Firewall Rules
Creating the allow DNS rule

And finally, let’s verify our rules.

Adjusting Firewall Rules
Verifying the rules

Let’s go ahead and try to ping Google once more from our DMZ VM.

Testing the DMZ
Ping works out of the DMZ

And sure enough, we get a reply from Google.

Conclusion pfSense DMZ

This should give you a good idea of how you can create a DMZ and how to work with Firewall Rules to block and allow traffic. There will be a separate tutorial on how to work with Aliases and Firewall rules to make it easier to keep a better overview of everything. A DMZ is essential if you want to make something on your network accessible from the Internet, for security’s sake.

👀 This Tutorial has some related Articles!
👉 The Complete pfSense Fundamentals Bootcamp
👉 Install pfSense from USB – The Complete Guide
👉 Install pfSense on VirtualBox
👉 The Complete pfSense OpenVPN Guide
👉 The Complete pfSense DMZ Guide
👉 Generate SSL Certificates for HTTPS with pfSense
👉 The Complete pfSense Squid Proxy Guide (with ClamAV!)
👉 pfSense Site-to-Site VPN Guide
👉 pfSense Domain Overrides Made Easy
👉 pfSense Strict NAT (PS4,PS5,Xbox,PC) Solution
👉 The Best pfSense Hardware
👉 Traffic Shaping VOIP with pfSense
👉 pfSense OpenVPN on Linux – Setup Guide
👉 pfSense Firewall Rule Aliases Explained
👉 Email Notifications with pfSense
👉 pfSense DNS Server Guide

8 thoughts on “pfSense DMZ – The Complete Guide”

  1. After I create a new DMZ the devices I plug into it somehow get a DHCP lease from my existing LAN DHCP server and have full LAN/WAN access even before I create any firewall rules. Any thoughts on why that might be?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link
Powered by Social Snap