Welcome to the Home Network Guy forum!

Main Menu

Clarification on Basic DMZ How-to

Started by Spectre5, November 25, 2021, 02:46:29 PM

Previous topic - Next topic


I've read through Basic DMZ article here:

I have a question on the firewall rule in the section "Allow access to DMZ network interface".  It indicates that "...this rule is necessary because of the next firewall rule below that blocks all private networks. Without it, the network would not have Internet access since the interface/gateway IP address would be blocked"  However, I don't understand why this is true (that the internet wouldn't work without this rule).

In a previous rule the DNS is already allowed, so the DMZ can resolve URLs to IP address.  Then the clients would request that IP address, which is not a private address and would then fall into rule 5, "Allow access to all other traffic".

If you don't care about pinging the router nor accessing the router from the DMZ, then what traffic would this "allow access to the DMZ network interface" be necessary for?  As far as I can tell, you can access the internet with out.

I've disabled this rule and my DMZ can still access websites just fine (although my network topology and rules are not all identical to this article).  Am I missing something?

Home Network Guy

That's a good catch. I may have made those rules mimic the rules I was using at the time of the writing of the article so I know I had working rules.

Rule 3 is redundant (unless accessing some other service on the DMZ interface that is running on OPNsense).

I need to go back to simplify and clean up those rules. Thanks for the feedback!


Great, thanks.  Just trying to confirm my understanding!  Great site, thanks for all your posts!

Home Network Guy

Yes, it sounds like you have a great understanding! You're welcome. I'm glad you like my posts.

I think what happened is that I mimicked some of the rules I used on my network since I knew they worked properly. Then later I realized I had some unnecessary rules created on my firewall and cleaned them up. However, I didn't think to go back to clean them up on that article. I've had several revisions of my rules on my firewall so sometimes cleanup is necessary! Thanks for pointing that out because I like having accurate information.