I have rules on my DMZ interface blocking traffic from DMZ to LAN but I can still browse to web resources on the LAN network from a web browser on a workstation in the DMZ. I know I am missing the obvious but I am not currently seeing it.
From my reading of pfsense and opnsense docs, DMZ to LAN should be blocked by default and only exceptions should require an allow rule.
The following are my LAN and DMZ rules. The first rule in DMZ is auto-generated by NAT port-forwarding to my PiHole DNS.
For traffic escaping DMZ to LAN the message in the Live Log for the DMZ -> LAN traffic is: “let out anything from firewall host itself” – which is tied to an auto-generated floating rule which I cannot disable.