By implementing Example 2 – block all traffic from other networks, we have not really accomplished anything yet. We just blocked access to SALES, MARKETING, and DEVELOPERS from other networks, and pfSense blocks inter-network traffic by default anyway. We need to create a default allow rule for each network to make this work. If such a rule is evaluated after the previously created block rule, it will provide access to both the DMZ network and the internet through the WAN interface.

There are two ways to go about this. pfSense automatically creates Allow LAN to any rules for the LAN interface, which saves us the trouble of providing the LAN network access to other networks. If you have other subnets, most likely you will want to create similar rules for those interfaces. We could copy the Allow LAN to any rules easily enough and just change the Interface, Source, and Description to whatever interface to which we are applying the rule.

We can make the process a little easier, however, if we create a floating rule, because then we can create a single default Allow X to any rule where X is the interface to which we want the rule to apply. To do this, we follow these steps:

1. We navigate to Firewall | Rules, and click on the Floating tab. Then we can click on either Add button below the table to add a new rule.
2. Keep the Action set to Pass. We want this rule to be evaluated last, so we will also leave the Quick option disabled. 

3. In the Interface list box, select all the interfaces to which you want the rule to apply. Unless you have a specific reason for not applying the rule to an interface, you should select every interface except the WAN interface and the DMZ interface.

4. We want the Direction to match that of rules on the interface tabs, so we select In.
5. As was the case in the previous example, we can set the Address Family field to IPv4, IPv6, or IPv4+IPv6. We want the default rule to apply to all protocols, so we set Protocol to Any. 

6. Source and Destination should remain set to Any. In the Description edit box, enter an appropriate description (for example, Default allow rule).
7. Click on the Save button, which will return you to the main Rules page. Then click on the Apply Changes button to reload the firewall rules.

We now have a default allow rule, which also makes the "Allow LAN to any" rules redundant. We can disable these rules for the sake of clarity. If you want to confirm that the rule works, connect to one of the other networks and try to access another network. Then disable the rule and see what happens (taking care not to lock yourself out of the web GUI in the process).