How to create a DMZ with pfSense 2.4.2

Welcome back, everyone! As the results of the votes in the sidebar clearly show, all of you want more pfSense tutorial, so here comes the first: how to create a DMZ with pfSense 2.4.2. I will show you how to set up your DMZ step-by-step and explain what is important. A DMZ is usually created if you want a more restrictive outside-facing part of your network that is separated from your internal network. A Web server would be a good example for this. You want the Web server to be reachable from the Internet, but you don’t want anyone from the Internet being able to also access your internal network.

For this tutorial, we are using our lab pfSense 2.4.2 running on VirtualBox. The firewall has 3 interfaces. One will be our WAN, one our LAN, and one our DMZ interface.

 

 

If you are using VirtualBox to follow this tutorial, your settings should look like this:

How to create a DMZ on pfSense 2.4.2
Network interfaces overview

 

You should have one Interface set as Bridged to simulate your WAN, one in intnet1 and one in intnet2. To create a new intnet, just type in the name field after choosing Internal Network and it will be created.  So let’s put it together:

  • Bridged Interface – Our WAN
  • Internal Network ‘intnet’ – Our LAN
  • Internal Network ‘intnet2’ – Our DMZ

Naturally, you need 2 additional VM’s to test everything, one connected to intnet and one to intnet2. You could use Ubuntu for that purpose. If you are running a physical pfSense appliance, you naturally also need at least 3 network interfaces to create a DMZ.

 

Step 1 – Creating a DMZ interface

Login to your pfSense dashboard and navigate to Interfaces -> Assignments. If you followed my recommendation of creating 3 interfaces in VirtualBox, you should see something along those lines. Click on +Add to add our DMZ interface.

Creating a DMZ on pfSense 2.4.2
Creating our DMZ interface

 

Click on Save after the OPT1 interface was created and click on OPT1 to configure it.

  1. Check Enable interface
  2. Change the interface name to DMZ
  3. Select Static IPv4
  4. Set whatever IP Address you want
  5. Assign a Subnet Mask
  6. Click on Save
  7. Click on Apply Changes
Creating a DMZ on pfSense 2.4.2
Configuring the interface

 

Back on Interfaces -> Assignments we can now see that the DMZ interface was created.

Creating a DMZ on pfSense 2.4.2
Checking that the interfaces were created

Step 2 – Enabling DHCP on the DMZ interface

Now, this is somewhat optional, as it depends on if you need DHCP on your DMZ or if all your devices have a static IP. For our example, we are going to use DHCP.

Navigate to Services -> DHCP Server and select the DMZ Interface.

  1. Check Enable DHCP server on DMZ interface
  2. Set a DHCP Range
  3. Click Save on the bottom
Create DMZ on pfSense 2.4.2
Configuring DHCP on the DMZ

 

Alright, now that we have that setup, we can go ahead and adjust the firewall rules.

 

Step 3 – Configuring Firewall Rules

When you create a new interface, it always comes without any rules, meaning all traffic is blocked by default.

Create DMZ on pfSense 2.4.2
Creating Firewall Rules in the DMZ

 

We can verify this by trying to ping google from the VM on intnet2(DMZ). Naturally, the ping will fail because both, DNS and ICMP are blocked.

DMZ pfSense 2.4.2
Ping fails

 

Meaning, nothing will get In or Out of your DMZ.

To verify this, we can go ahead and create 2 Firewall Rules – One for DNS and one for ICMP(Ping).

Under Firewall -> Rules -> DMZ click on Add (Arrow Up) to create a new rule.

DMZ pfSense 2.4.2
Creating an allow ICMP rule

 

Click on Add again to create the DNS rule.

DMZ pfSense 2.4.2
Creating the allow DNS rule

 

And finally, let’s verify our rules.

DMZ pfSense 2.4.2
Verifying the rules

 

Let’s go ahead and try to ping Google once more from our DMZ VM.

 

DMZ pfSense 2.4.2
Ping works out of the DMZ

 

And sure enough, we get a reply from Google.

 

Wrapping up

This should give you a good idea of how you can create a DMZ and how to work with Firewall Rules to block and allow traffic. There will be a separate tutorial on how to work with Aliases and Firewall rules to make it easier to keep a better overview of everything. A DMZ is essential if you want to to make something on your network accessible from the Internet, for security’s sake.

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.