DMZ, VPN Client, Routing, FW

Question

Hello, 
 
 I would like to setup a router (VPN Client) in a DMZ and route traffic from LAN over DMZ to Open VPN Tunnel. I have the following configuration till now: 
 
 WAN Interface (Ethernet) : 82.x.x.x 
 LAN: 192.168.0.0 /24 
 DMZ: 10.0.0.0 /8 
 
 Ping and Web Access to DMZ Router are working. 
 
 Firewall Rules for DMZ: 
 
 LAN to DMZ / Services http, https and ping allowed 
 
 Interesting for me is, that when i deactivate this rule, I&rsquo;m still able to reach the routers web interface via https?

If i want to establish an vpn tunnel with the router in the DMZ, do i need a separate masquerading rule. 
 
 At the moment i have the rule LAN to External (WAN), do i also need DMZ to External (WAN)??

When i want to route specific traffic over the tunnel, lets say http / https, what kind of firewall rules / configuration i need? 
 
 Is there a way to split the traffic, and route specific requests to a public website direct, without going over the tunnel?

Any help would be highly appreciated.

Thanks 
 Sally

apijnappels · Answer

Also I would like just allow specific services from LAN to DMZ and DMZ to LAN, do I have to create a Rule like DMZ to LAN Block all, and add a separate Rule after like DMZ to LAN https, http ?? 
 - No, by default all traffic is blocked unless you specifically allow it, so you don't need a block rule and then an allow rule, just the allow rule will suffice. However when you are using web filtering then http(s) traffic will be handled by the web filter and not by the firewall, so you may need to make adjustments in web filtering config if you want to prohibit certain http(s) targets to be reachable from other subnets.