Angry Sysadmins
A site full of angry sysadmins here to vent and help

Pfsesne: Create a “DMZ” network for use with Video games and IOT Devices

Ryan Parker BSD, Firewall, pfSense December 12, 2021

Before we begin, know that This subnet is NOT SECURE and should only be used for certain things that absolutely require Open NAT and UPNP like game consoles, old PC games, or other insecure things. I would strongly advise setting up an Intrusion Detection system or Intrusion Prevention System like suricata. It will allow any device to open a port on the firewall and allow any connection inbound. I initially set this up because I was having issues with Command an Conquer games with C&C online, Anno 2070, and Xbox live. Make sure to isolate this network to only itself, as it is a security problem if you allow a device on this network to access your internal networks (I go over this).

Interfaces

I’ll leave this one to you. My interface is named DMZ. I have mine setup as a vlan, but a physical interface is better, more secure, and easier to manage.

 

Firewall

Firewall -> Rules -> Aliases -> IP

Click add
Name: CIDR_ReservedInternalNetworkIPs
Network or FQDN: 10.0.0.0 / 8
                                172.16.0.0 / 12
                                192.168.0.0 / 16

Firewall -> Rules -> DMZ -> Add

Action: Pass
Interface: DMZ
Address Family: IPv4+IPv6
Protocol: TCP/UDP
Source: DMZ net
Destination: Check invert match
                     Single host or Alias
                     CIDR_ReservedInternalNetworkIPs
Description: Don’t allow DMZ to connect to internal IP addresses.

UPNP

Services -> UPnP & NAT-PMP

Enable: Check
UPnP Port Mapping: Check
NAT-PMP Port Mapping: Check
External Interface: DMZ
ACL Entries: allow 1024-65535 192.168.69.1/24 1024-65535

NAT

System -> Advanced -> Firewall and NAT

Scroll down to Network Address Translation

NAT Reflection mode for port forwards: Pure Nat
Enable NAT Reflection for 1:1 NAT: Checked
Enable automatic outbound NAT for Reflection: Checked

 

Firewall -> NAT -> Outbound

Set to Hybrid
Add mapping
Interface: WAN
Protocol: Any
Source: Network | 192.168.69.0 / 24
Address: Interface Address
port or range: Check Static Port.

Reset States

Finally, reset the state table. This will apply our NAT rules.

Diagnostics -> States -> Reset States

State Table: Check

Then press reset. This should take a min or so and will cause a brief network disruption.

You should be good to go now. If you have any issues please post them down below. If its not working manually add port forward, That should fix it.

About: Ryan Parker

I'm a former captain of the Cyber Defense team, Current Infrastructure Security Specialist. I also have a side job helping small to medium business with anything technology doing everything imaginable. One of my hobbies is building out infrastructures for myself, friends, and clients. I current maintain a homelab with about 2TB of RAM, 180+ TB of storage, tons of CPU cores, and 100gbit networking backbone.

Leave a Reply

Your email address will not be published. Required fields are marked *