The next step to set up my lab involves configuring the pfsense firewall to create a DMZ. Within the DMZ I will create a DNS server using Pi-hole, email server using iRedMail, and a vulnerable web server from Vulnhub. Using a DMZ allows me to set different firewall rules for external facing and internal servers. This also allows me to control the traffic between the DMZ and LAN which provides a greater level of protection for the internal network.
How pfsense Firewall Rules Work
Before creating any rules it helps to understand the traffic flow through pfsense on our small network. There are two ways of setting up a DMZ. One way is to have two separate firewalls, one attached to the WAN, and one to the LAN. Between the two firewalls is the DMZ.
Configuring rules is fairly straightforward in this setup since each firewall only has two interfaces to configure. In my network I am using a single firewall to enable this using this network diagram.
To help understand how to configure rules in this setup, we need to think about how the traffic flows. The WAN interface is by default configured to block all traffic, and each interface is configured with a default deny. I will configure WAN rules later to forward specific ports to servers in the DMZ. To configure the DMZ I need to choose which traffic to allow out and to where. All traffic not specifically permitted will be denied.
Creating the DMZ in pfsense
Prerequisite: Creating the Linux Admin Workstation
Using the Linux admin workstation I accessed the firewall’s webConfigurator and changed the OPT1 interface’s firewall rules. The first rule shown in a step by step below was adding UDP port 53 to allow DNS traffic.
While configuring the DMZ I also added rule necessary for web traffic and the ability to ping between the LAN and DMZ. These rules included:
- TCP port 80 (HTTP) from DMZ to all
- TCP port 443 (HTTPS) from DMZ to all
- ICMP any from LAN to DMZ
- ICMP echo reply from DMZ to LAN
The last step I took was to rename the OPT1 interface and make sure the right MTU is set for VXLANs.
That’s all there is to it, I created a DMZ using pfsense and it’s ready for server deployment. Next I am going to install a DNS server on the external and DMZ networks.