The goal here is to create a DMZ on the same router as our LAN. A DMZ a separate network, which a LAN has access to, but does not have access to the LAN. We can then put servers in the DMZ which we can make publicly available (ie, accessed via public IP's) while maintaining the integrity of our LAN behind the same firewall.

NOTE: this is not as secure as having too separate networks with two separate firewalls, as a blackhat could crack one of your publicly available servers, and from there crack your router, then gain access to your LAN. However, it is cheaper, and it is more secure than just putting a server on your LAN with Port Forward access.

To create a DMZ, you'll need a separate network, either through a VLAN or through a separate physical setup. How you get there is up to you, but this article assumes you have a third network interface, and you have named it DMZ (the others labeled LAN and WAN, and they were working before).

We'll set up the DMZ interface, optionally allow a DHCP server on it, then set up some firewall rules. These are absolutely the simplest firewall rules you can get by with, but some of the articles in the Links section will show you more complex (and secure) ideas.

1. DMZ
   1. Enable Interface
   2. Prevent Removal
   3. Static IP
   4. IPV4 Address
   5. auto-detect IPv4 upstream gateway
2. DHCP (optional)
   1. enable for DMZ
   2. set range
3. Firewall (two rules, but see https://homenetworkguy.com/how-to/create-basic-dmz-network-opnsense/)
   1. Allow dmz to access everything but local network
      1. Action: Pass
      2. Interface: DMZ
      3. Protocol: Any
      4. Source: DMZ net
      5. Source port: any
      6. Destination Invert: check
      7. Destination: LAN net
      8. Destination Port: any
      9. Category: DMZ
      10. Description: Allow access to Internet and block access to all local networks
   2. Allow LAN full access to DMZ
      1. Action: pass
      2. Interface: lan
      3. TCP/IP Version: IPV4+IPv6
      4. protocol: tcp
      5. source: LAN net
      6. Source port: any
      7. Destination: DMZ net
      8. Destination Port: any
      9. Category: DMZ
      10. Description: Allow access to web server in DMZ network from LAN

• https://homenetworkguy.com/how-to/create-basic-dmz-network-opnsense/
• https://doc.m0n0.ch/handbook/examples.html
• https://homenetworkguy.com/how-to/create-basic-dmz-network-opnsense/
• https://docs.opnsense.org/manual/nat.html
• https://forum.opnsense.org/index.php?topic=5424.0
• https://forum.opnsense.org/index.php?topic=5174.0
• https://forum.opnsense.org/index.php?topic=429.0
• https://doubleoctopus.com/security-wiki/network-architecture/demilitarized-zone/
• https://docs.opnsense.org/manual/how-tos/carp.html
• https://docs.opnsense.org/manual/hacarp.htmlnetwork-opnsense/