Netgate Store

Author Topic: No DMZ Listed version 2.4.2  (Read 330 times)

0 Members and 1 Guest are viewing this topic.

Offline BM228

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
No DMZ Listed version 2.4.2
« on: January 31, 2018, 05:17:11 pm »
I'm a newbie at building a firewall (Using version 2.4.2).  I'm coming from an old actiontec Fios router that did not have options like PFsense.  Which is why I switched to use a VPN. 

I have an integrated NIC and a 4 port NIC added.  The Integrated NIC is my WAN and the 4 Port NIC is my LAN.

I have everything setup and working from standard DHCP and activating the other three ports on the LAN As Opt1, 2, & 3.  I have the optional ports bridged with a rule to allow traffic.

My firewall rules allow access through the LAN net. 

Where I"m having issues is with DMZ.  I'm following the basic setup steps from this link:
https://doc.pfsense.org/index.php/Example_basic_configuration#Example_of_a_basic_lock_down_of_the_LAN_and_DMZ_out_going_rules

I have watched vidoes on setting this up as well.  Everything is ok until I get to the DMZ.  I don't have a DMZ interface listed as an interface.  Do I have to take Opt3 and make it the DMZ? Or can I add an interface and call it DMZ (Virtual)  I would like to keep the 4th ethernet port if I can as you would with standard routers, but if not I can unplug it and assign it to DMZ. 

I know this is a newb question, but I'm racking my brain and the forums looking for an answer to finish my configuration. 

Thanks for any comments or assistance.

Online Gertjan

  • Hero Member
  • *****
  • Posts: 2702
  • Karma: +219/-9
    • View Profile
Re: No DMZ Listed version 2.4.2
« Reply #1 on: February 01, 2018, 12:53:59 pm »
....
I have watched vidoes on setting this up as well.  Everything is ok until I get to the DMZ.  I don't have a DMZ interface listed as an interface.  Do I have to take Opt3 and make it the DMZ? Or can I add an interface and call it DMZ (Virtual)  I would like to keep the 4th ethernet port if I can as you would with standard routers, but if not I can unplug it and assign it to DMZ. 
There is no such thing as a "DMZ" interface. It's just a name for an interface where you NAT (if you are using IPv4) ports to, using connections coming in from WAN.

pfSense comes with a WAN - you should chose an iterface that becomes WAN, and a LAN interface, also initially chosen by you.
Remaing interfaces, if any, are named OPT1 OPT2, etc.
Up to you to name the interface "OPT1" as "DMZ". You will have to add an IPv4 range on this OPT1/DMZ interface.
Then you start natting your incoming IPv4 traffic .... or just adding firewall rules to the WAN interface if you want to 'route' incoming IPv6 traffic.

Offline BM228

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: No DMZ Listed version 2.4.2
« Reply #2 on: February 01, 2018, 02:53:12 pm »
Thank you for the explanation.  I do have WAN and LAN setup.  I can easily rename Opt1, 2, or 3, to DMZ and then setup the IP range as you mentioned. 

Another Newb question regarding this setup.  If I choose Opt1 and set it up for DMZ.  That option is bridged to my LAN in my 4 port NIC card.  Its really port 2. Do I lose the ability to use this port for standard network traffic due to the DMZ?  Will all my NAT traffic go out the device connected to it and does it matter what type of device it is - Example (NVidia Shield or HD Homerun Device)?

Thanks for your assistance as this is new for me.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2678
  • Karma: +162/-28
  • volunteer since 2006
    • View Profile
Re: No DMZ Listed version 2.4.2
« Reply #3 on: February 01, 2018, 02:58:43 pm »
I have everything setup and working from standard DHCP and activating the other three ports on the LAN As Opt1, 2, & 3.  I have the optional ports bridged with a rule to allow traffic.
???
Did you actually bridge them or just allow traffic by a rule? Big difference.
What do you plan to do with Opt1-3 interfaces?

I don't have a DMZ interface listed as an interface.  Do I have to take Opt3 and make it the DMZ?
Well, you surely have to use an interface for a DMZ. Where else would you want to connect it to, where should traffic flow? Even if it would be a virtual interface you need traffic to go outbound through some kind of interface, right?

But first answer what you want Opt1-3 to be.
BTW: a bridge (multiple interfaces seemingly acting like a switch) is a bad idea. Software bridged interfaces never become a substitute to a $5 cheap switch. Be warned.
Chris


Offline BM228

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: No DMZ Listed version 2.4.2
« Reply #4 on: February 01, 2018, 03:35:13 pm »
I guess I need some help here, so thanks for the guidance.  I actually bridged them in the interface assignments.  I also created a rule on each optional interface to all ipv4 traffic which I believe was part of the bridge setup. 

I get that is a bad idea to bridge and one of my ports actually goes to a switch, so I don't need it to be bridged. 

To answer a question that was asked, what do I want to do with the ports?  I want to have 4 ports available for internet connection just as you would on a standard router.  I will gladly set the optional interfaces differently, but thought bridging was the option I needed.  So basically I want 4 Ethernet LAN ports to connect devices to and be able to have a DMZ at the same time.  I just don't know the steps to do it.  I currently don't have port forwarding rules setup which is why I was following the basic PFSense doc, but that assumes that all networking makes sense to the user which i'm learning as I go.

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2678
  • Karma: +162/-28
  • volunteer since 2006
    • View Profile
Re: No DMZ Listed version 2.4.2
« Reply #5 on: February 02, 2018, 04:41:13 pm »
I want to have 4 ports available for internet connection just as you would on a standard router.
Turn your head around and think of 4 different subnets you have for local traffic. Don't get confused with those all-in-one home routers with built-in 4-port switch. Different beasts.

With your setup you can have something like
port1 LAN (to your switch with as many ports as you need)
port2 Opt1 (DMZ)
port3 Opt2 (Guest WiFi for example)
port4 Opt3 (surveilance cameras or IoT devices or ...)

All those local interfaces reside on different IP ranges and can be isolated from each other by rules or (specific) traffic can be allowed. All as needed.
With an all-in-one home device you would have 4x LAN without separation. Just like a switch.
Chris


Offline BM228

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: No DMZ Listed version 2.4.2
« Reply #6 on: February 10, 2018, 01:26:48 pm »
Thank you, I was just getting back to this. Your explanation mades perfect sense. Thanks for the clarification. Now if I can figure out the answer to my DNS questions over in the DHCP/DNS group I should be good.  ;D