The next step to set up my lab involves configuring the pfsense firewall to create a DMZ. Within the DMZ I will create a DNS server using Pi-hole, email server using iRedMail, and a vulnerable web server from Vulnhub. Using a DMZ allows me to set different firewall rules for external facing and internal servers. This also allows me to control the traffic between the DMZ and LAN which provides a greater level of protection for the internal network.

How pfsense Firewall Rules Work

Before creating any rules it helps to understand the traffic flow through pfsense on our small network. There are two ways of setting up a DMZ. One way is to have two separate firewalls, one attached to the WAN, and one to the LAN. Between the two firewalls is the DMZ.

Example DMZ using two firewalls to separate the external and internal networks
Example configuration using two firewalls

Configuring rules is fairly straightforward in this setup since each firewall only has two interfaces to configure. In my network I am using a single firewall to enable this using this network diagram.

Diagram of lab network with firewall, external, DMZ, and internal networks.
Lab network overview diagram

To help understand how to configure rules in this setup, we need to think about how the traffic flows. The WAN interface is by default configured to block all traffic, and each interface is configured with a default deny. I will configure WAN rules later to forward specific ports to servers in the DMZ. To configure the DMZ I need to choose which traffic to allow out and to where. All traffic not specifically permitted will be denied.

Firewall rule configuration on each interface in the lab network
Firewall rule configuration in pfsense

Creating the DMZ in pfsense

Prerequisite: Creating the Linux Admin Workstation

Using the Linux admin workstation I accessed the firewall’s webConfigurator and changed the OPT1 interface’s firewall rules. The first rule shown in a step by step below was adding UDP port 53 to allow DNS traffic.

Empty firewall rules page on DMZ interface in pfsense
Firewall rules page on DMZ interface before rules are added
Add a UDP port 53 rule in the pfsense add rule interface.
Adding the rule for UDP port 53 to enable DNS traffic
Adding a rule description for future reference to understand the rule's purpose
Adding a rule description for future reference

While configuring the DMZ I also added rule necessary for web traffic and the ability to ping between the LAN and DMZ. These rules included:

  • TCP port 80 (HTTP) from DMZ to all
  • TCP port 443 (HTTPS) from DMZ to all
  • ICMP any from LAN to DMZ
  • ICMP echo reply from DMZ to LAN
Full DMZ list of rules for the lab network
Full DMZ firewall rule set for my lab

The last step I took was to rename the OPT1 interface and make sure the right MTU is set for VXLANs.

Renaming the DMZ interface to DMZ and setting the MTU to 1450
Rename the DMZ interface

That’s all there is to it, I created a DMZ using pfsense and it’s ready for server deployment. Next I am going to install a DNS server on the external and DMZ networks.

Next: Creating DNS Servers with Pi-hole
Previous: Creating the Linux Admin Workstation