This is an old revision of the document!
Table of Contents
opnSense DMZ
DMZ
The goal here is to create a DMZ on the same router as our LAN. A DMZ a separate network, which a LAN has access to, but does not have access to the LAN. We can then put servers in the DMZ which we can make publicly available (ie, accessed via public IP's) while maintaining the integrity of our LAN behind the same firewall.
NOTE: this is not as secure as having too separate networks with two separate firewalls, as a blackhat could crack one of your publicly available servers, and from there crack your router, then gain access to your LAN. However, it is cheaper, and it is more secure than just putting a server on your LAN with Port Forward access.
To create a DMZ, you'll need a separate network, either through a VLAN or through a separate physical setup. How you get there is up to you, but this article assumes you have a third network interface, and you have named it DMZ (the others labeled LAN and WAN, and they were working before).
We'll set up the DMZ interface, optionally allow a DHCP server on it, then set up some firewall rules. These are absolutely the simplest firewall rules you can get by with, but some of the articles in the Links section will show you more complex (and secure) ideas.
- DMZ- Enable Interface
- Prevent Removal
- Static IP
- IPV4 Address
- auto-detect IPv4 upstream gateway
 
- DHCP (optional)- enable for DMZ
- set range
 
- Firewall (two rules, but see https://homenetworkguy.com/how-to/create-basic-dmz-network-opnsense/)- Allow dmz to access everything but local network- Action: Pass
- Interface: DMZ
- Protocol: Any
- Source: DMZ net
- Source port: any
- Destination Invert: check
- Destination: LAN net
- Destination Port: any
- Category: DMZ
- Description: Allow access to Internet and block access to all local networks
 
- Allow LAN full access to DMZ- Action: pass
- Interface: lan
- TCP/IP Version: IPV4+IPv6
- protocol: tcp
- source: LAN net
- Source port: any
- Destination: DMZ net
- Destination Port: any
- Category: DMZ
- Description: Allow access to web server in DMZ network from LAN
 
 
NAT a DMZ machine using Port Forward
NAT (Network Address Translation) allows you to use one IP address to access multiple internal machines, so long as they have unique network port requirements. For example, you could have a public web server on port 80 and 443 (http and https), then a separate server for e-mail using smtp(s) (ports 25,465, 587), imap(s) (ports 143 and 993) and pop(s) (ports 110 and 995). They could both be on the same public IP address, and NAT would send all http(s) traffic to one machine and all e-mail traffic to the other. Obviously, these machines could be inside a DMZ.
Why do you want to do this? Several reasons, but the main one is to decrease complexity in your servers. You have one server which is only a web server, with apache, php and maybe mysql. A completely separate machine handles your e-mail.
OPNSense has NAT built in, but parts of it are broken as of 23.7; it may be fixed by the time you read this, so I'll show the standard way of doing it, then the patch.
You can skip this first step, though I like it because it makes the entire setup more maintainable. I like to use Firewall Aliases for my ports and, sometimes, for my hosts. I would definitely recommend doing the ports part, however, as you would otherwise have to write one NAT for each port.
- Firewall | Aliases
- Add (plus sign)- Name: web ports
- Type: Ports
- Categories: DMZ
- Contents: enter the web ports, placing a comma between them (ie, 80,443)
- Description: Ports used by web server
- Save
 
- Add (plus sign)- Name: mail_ports
- Type: Ports
- Categories: DMZ
- Content: 25,465,587
- Description: Ports used by mail server
- Save
 
- Add- Name: webserver
- Type: Host(s)
- Categories: DMZ
- Content: 192.168.52.3 (the IP of your web server, in the DMZ)
- Description: the target for our web traffic
- Save
 
- Add- Name: mailserver
- Type: Host(s)
- Categories: DMZ
- Content: 192.168.52.4 (the IP of your mail server, in the DMZ)
- Description: the target for our mail traffic
- Save
 
