Thursday, May 3, 2012

Setting up a DMZ in PFSense

  • Aim: provide a DMZ segment isolated from your production environment.
  • Environment tested: PFSense 1.2

Recently, a neighbour of mine asked for help with their family computer. The PC had become extremely sluggish, kids had putzed around with the configuration and, to make matters worse, it had become infected with a bunch of spyware, malware and viruses.

Obviously, I wasn't about to let that thing loose on my internal network, so I instead decided to set up a DMZ interface. Since I'd recently upgraded my PFSense server to a more recent machine (from a Compaq desktop running a 600 mhz celeron to a Dell PE1650 server running a 1.2 Ghz pentium III with 512 mb of RAM to which I added two NIC cards to the available PCI slots), I basically had enought ports for my LAN, WAN and DMZ interfaces. I even have a spare for bridging some of my IPs, I'll post something on this later on.


A working PFSense server with at least three network ports.


STEP 1 - Configuring the DMZ interface

At this point, I am assuming you have the basic PFSense configuration running, and that you've defined your LAN, WAN and OPT interface. You'll need to configure the IP address and subnet mask for your OPT/DMZ interface.

Go to the Interfaces menu in PFSense, select the interface you've chosen for the DMZ, enter a descriptive name in the Description box and assign it an address different from the subnet your regular network uses. In my case, I used with a subnet mask of 24 ( This allows 253 machines on the network (254 addresses minus the address used as the gateway). You can use a smaller subnet mask to accomodate your needs. If you only plan to put a single host on the DMZ, specify 30 as your subnet mask.

Here is a screenshot of mine:

Fig. A DMZ interface configuration screen

Note that I leave the gateway interface blank. I have a single WAN connection going to my bridged DSL modem, so the system uses the default route.

STEP 2 - Creating firewall rules for the DMZ interface

Now that we've configured the interface, it's time to set up some rules to allow traffic from the DMZ while protecting our private network. Go to the Firewall: Rules menu, and create rules that will deny DMZ traffic to the LAN but allow DMZ traffic to the the web.

First, create a new rule to block traffic to the Lan:

  • Action: select Block
  • Disabled: leave unchecked
  • Interface: select DMZ
  • Protocol: select TCP
  • Source: select any ( this effectively block all systems that will connect through the DMZ interface)
  • Source OS: any
  • Destination: select LAN subnet in type.
  • Destination port range: select any in the from: and to: fields
  • Gateway: select default, which uses the system routing table
  • Description: type a description for your rule. Then save.

Here is a sample shot of mine:

Figure b. DMZ to LAN block rule

Next, we'll need to create a new rule to allow all traffic from the DMZ to the internet:

  • Action: select Pass
  • Disabled: leave unchecked
  • Interface: select DMZ
  • Protocol: select any
  • Source: select DMZ subnet
  • Destination: click the not box and select LAN Subnet in the Type: field
  • Gateway: set to default
  • Description: type a description for your rule. Then save.

Here is a screenshot of mine:

Figure c. Allow from DMZ to WAN

Once you've saved your rules, apply the changes to PFSense and you'll have a working DMZ interface.

Going further...

I run internal DNS and DHCP servers, therefore I wanted to allow traffic from the DMZ to the internal DNS for name resolving. Hence, I added rules to pass DNS queries (UDP port 53) from the DMZ subnet to the single host addresses of my DNS servers.

Here is my sample configuration:

Figure d. DMZ to DNS

You may want to add other rules if you need to access an internal anti-virus or update server from the machine(s) on the DMZ. One practical example would be to open up a port to a NAS machine on your network to retrieve updates or install software. However, this is not recommended, since as a best practice you really want to keep the DMZ segment isolated from your production environment.

The order of rules is important; since you are going to be blocking DMZ to LAN traffic, the Pass rules must apply before the block ones. The final DMZ rules look like this:

Figure E. Completed DMZ firewall rules

No comments:

Post a Comment