Last Updated on October 17, 2022 by Thiago Crepaldi
DMZ (aka Demilitarized Zone) network as defined by Wikipedia “is a physical or logical subnetwork that contains and exposes an organization’s external-facing services to an untrusted, usually larger, network such as the Internet”. The purpose is to add an additional layer of security by separating what is exposed a public service in the DMZ, while the rest of the network is still private.
On this post, we are going to how to leverage VLANs to create a DMZ. Although the VLANs will be created on pfSense appliance, you will also need to configure the same VLAN on your switch to propagate it throughout your network until it reaches server being exposed to Internet. On this post, I will use a Unifi switch for this purpose.
Creating VLAN on pfsense
The first step to create a DMZ is creating an VLAN with a unique ID. Follow the steps from a previous post to setup VLAN subnets, including the optional section describing how to allow VLAN traffic on your switches. We are going to assume the VLAN network is 10.20.100.1/24 and the VLAN ID is 100. At this point, you have an isolated network with access to Internet. However, this is still a private network in the sense that nobody from Internet can access it. We need to tell pfSense that it should redirect any traffic coming from Internet on a specific port to be redirected to one device within the 10.20.100.1/24.
(Optional) Enabling web server
The DMZ is ready to be expose to Internet any service running on the isolated network. As an example on what you can do with your brand new DMZ network, I will assume you want to host a website on a webserver (IP 10.20.100.3) through ports 80 (HTTP) and 443 (HTTPS).
On your pfSense Web UI, go to Firewall >> NAT >> Port forward, click Add (arrow down) and do as follows:
- Edit Redirect Entry
- Disabled: unchecked
- No RDR (NOT): unchecked
- Interface: WAN
- Address family: IPv4
- Protocol: TCP
- Source: (let unchanged to allow traffic from Any)
- Invert match: unchecked
- Type: WAN Address
- Destination port range:
- From port: HTTP
- To port: HTTP
- Redirect target IP:
- Type: Single Address
- IP: 10.20.100.3
- Redirect target port:
- Port: HTTP
- Description: Redirect WAN to HTTP traffic to server on VLAN 100
- No XMLRPC Sync: unchecked
- NAT reflection: System default
- Filter rule association: Add associated filter rule
Click Save and Apply changes. This will redirect traffic coming from WAN on port 80 to your web server on http://10.20.100.3. It will also create a firewall rule allowing traffic from WAN on port 80 to be allowed.
Next, let’s create a new NAT port forward by repeating the steps above, but selecting port HTTPS in Destination >> Destination Port range and Redirect target port sections above.
That is all there is to it. From now on, whoever tries to visit your public internet address (WAN IP) will be sent your web server on http[s]://10.20.100.3 and see your website content. Have fun!