Setup isolating LAN and DMZ, each with unrestricted Internet access

The following setup can be used instead if outbound access is more lenient, but still controlled between local interfaces. This assumes all local networks are privately numbered, and that interfaces have already been configured.

Create an alias, Firewall > Aliases from the main menu, called RFC1918 containing 192.168.0.0/16, 172. 16.0.0/12, and 10.0.0.0/8.

LAN Configuration

  1. For DNS from the firewall:
    1. Allow TCP/UDP from LAN subnet to LAN Address port 53.
  2. For accessing the GUI:
    1. Allow TCP from LAN subnet to LAN address port 443.
  3. To ping the firewall from the LAN:
    1. Allow ICMP from LAN subnet to LAN address.
  4. If there is any traffic required from LAN to DMZ:
    1. Allow any traffic required from LAN to DMZ.
  5. Do not allow LAN to reach DMZ or other private networks:
    1. Reject Any from LAN subnet to RFC1918.
  6. For internet access:
    1. Allow Any from LAN subnet to any.

DMZ Configuration

  1. For DNS from the firewall:
    1. Allow TCP/UDP from DMZ subnet to DMZ Address port 53.
  2. For accessing the GUI (optional):
    1. Allow TCP from DMZ subnet to DMZ address port 443.
  3. To ping the firewall from the DMZ:
    1. Allow ICMP from DMZ subnet to DMZ address.
  4. If there is any traffic required from DMZ to LAN:
    1. Allow any traffic required from DMZ to LAN.
  5. Do not allow DMZ to reach LAN or other private networks:
    1. Reject Any from DMZ subnet to RFC1918.
  6. For Internet access:
    1. Allow Any from DMZ subnet to any.

Additional Interfaces

Repeat the above pattern as needed.

© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.