How to create a DMZ with pfSense 2.4.2
Welcome back, everyone! As the results of the votes in the sidebar clearly show, all of you want more pfSense tutorial, so here comes the first: how to create a DMZ with pfSense 2.4.2. I will show you how to set up your DMZ step-by-step and explain what is important. A DMZ is usually created if you want a more restrictive outside-facing part of your network that is separated from your internal network. A Web server would be a good example for this. You want the Web server to be reachable from the Internet, but you don’t want anyone from the Internet being able to also access your internal network.
For this tutorial, we are using our lab pfSense 2.4.2 running on VirtualBox. The firewall has 3 interfaces. One will be our WAN, one our LAN, and one our DMZ interface.
If you are using VirtualBox to follow this tutorial, your settings should look like this:
You should have one Interface set as Bridged to simulate your WAN, one in intnet1 and one in intnet2. To create a new intnet, just type in the name field after choosing Internal Network and it will be created. So let’s put it together:
- Bridged Interface – Our WAN
- Internal Network ‘intnet’ – Our LAN
- Internal Network ‘intnet2’ – Our DMZ
Naturally, you need 2 additional VM’s to test everything, one connected to intnet and one to intnet2. You could use Ubuntu for that purpose. If you are running a physical pfSense appliance, you naturally also need at least 3 network interfaces to create a DMZ.
Step 1 – Creating a DMZ interface
Login to your pfSense dashboard and navigate to Interfaces -> Assignments. If you followed my recommendation of creating 3 interfaces in VirtualBox, you should see something along those lines. Click on +Add to add our DMZ interface.
Click on Save after the OPT1 interface was created and click on OPT1 to configure it.
- Check Enable interface
- Change the interface name to DMZ
- Select Static IPv4
- Set whatever IP Address you want
- Assign a Subnet Mask
- Click on Save
- Click on Apply Changes
Back on Interfaces -> Assignments we can now see that the DMZ interface was created.
Step 2 – Enabling DHCP on the DMZ interface
Now, this is somewhat optional, as it depends on if you need DHCP on your DMZ or if all your devices have a static IP. For our example, we are going to use DHCP.
Navigate to Services -> DHCP Server and select the DMZ Interface.
- Check Enable DHCP server on DMZ interface
- Set a DHCP Range
- Click Save on the bottom
Alright, now that we have that setup, we can go ahead and adjust the firewall rules.
Step 3 – Configuring Firewall Rules
When you create a new interface, it always comes without any rules, meaning all traffic is blocked by default.
We can verify this by trying to ping google from the VM on intnet2(DMZ). Naturally, the ping will fail because both, DNS and ICMP are blocked.
Meaning, nothing will get In or Out of your DMZ.
To verify this, we can go ahead and create 2 Firewall Rules – One for DNS and one for ICMP(Ping).
Under Firewall -> Rules -> DMZ click on Add (Arrow Up) to create a new rule.
Click on Add again to create the DNS rule.
And finally, let’s verify our rules.
Let’s go ahead and try to ping Google once more from our DMZ VM.
And sure enough, we get a reply from Google.
Wrapping up
This should give you a good idea of how you can create a DMZ and how to work with Firewall Rules to block and allow traffic. There will be a separate tutorial on how to work with Aliases and Firewall rules to make it easier to keep a better overview of everything. A DMZ is essential if you want to to make something on your network accessible from the Internet, for security’s sake.
After I create a new DMZ the devices I plug into it somehow get a DHCP lease from my existing LAN DHCP server and have full LAN/WAN access even before I create any firewall rules. Any thoughts on why that might be?