Hey Guys
I have done the following to create a DMZ for a network that I administer.
The method of setting it up like this, is keeping the following in mind:
# Internal and External networks being able to access the DMZ via special ports
# Hosts in the DMZ not being able to reach internal network.
# Hosts in the DMZ network are able to communicate to one another.
===
1. Created an additional network range for the total required hosts on the Additional Address tab as per the following:
Name: DMZ-Network
On Interface: Bridge1
IPv4 address: 192.168.10.1
Netmask: 255.255.255.248
Assigned to node: All (this applies to H/A clusters setups)
2. Added the new DMZ-Network to my allowed networks for DNS resolution.
3. Create NAT | Masquerading rule for the DMZ-Network to have a route to the internet.
DMZ-Network --> Uplink Interfaces
4. Create firewall rules for DMZ to Internet:
DENY: Internal [DMZ-Network) --> ANY --> INTERNAL
ALLOW: Internal [DMZ-Network) --> SRV --> INTERNET
ALLOW: Internal [DMZ-Network) --> ANY --> Internal [DMZ-Network)
5. Create Destination NAT rules for DMZ-Network to be reached from any network:
Traffic Selector: Any --> SpecialPort --> InternetGateway (Interface)
Destination Translation: SpecialHost --> SSH
====
* Notes
- No DHCP required as all in DMZ are configured with a static IP.
- This configuration is working for me, but would like to have other recommendations / best practices as I am fairly new to setting it up.
TIA
Chris
This thread was automatically locked due to age.
