DMZ

The default DMZ firewall rules are as follows:

1. Drop all DMZ→Local traffic
2. Drop all DMZ→LAN traffic
3. Allow DMZ→EXT (internet)
4. Allow LAN→DMZ (includes WireGuard and OpenVPN virtual LANs)

The DMZ makes a great place to place servers and LXC containers, isolated to your network and AstLinux box, but reachable from any LAN and AstLinux itself.

Given the DMZ defaults above, any DHCP, DNS, NTP requests to Local are dropped, so …

Personally I accept these:

Pass DMZ->Local UDP	0/0	53,67,68,123
Pass DMZ->Local	TCP	0/0	53

You may also want mDNS (UDP 5353)

To drop DMZ→Local logging, uncheck (I also do), after everything works fine .

Firewall sub-tab:

___ Log Denied DMZ interface packets

For the Pi-Hole case, the DMZ is perfect. The Pi-Hole can use AstLinux's DNS-over-TLS as it's upstream feed, and dnsmasq's DHCP can be configured to give out the Pi-Hole DMZ address for DNS.