Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense wan dmz apache vhosts public ips

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • UnderstudyU
      Understudy @stephenw10
      last edited by

      @stephenw10

      Thank you for the reply.

      Yes, the xxx.xxx.xxx. all represent the same prefix but I only receive the /29 range based on the last octet.

      The .87 IP address was to give the WAN it's own IP
      The .94 is a /29 that does not include the .87 which is a /32

      Because the WAN and the DMZ can't be on the same subnet.

      Error received when that attempt was made.
      The following input errors were detected:

      IPv4 address xxx.xxx.xxx.88/29 is being used by or overlaps with: DMZ (xxx.xxx.xxx.94/29)
      This IPv4 address is the network address and cannot be used
      

      I appreciate the link. This is what I was reading in the documents.
      https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html

      And the section titled IP assignments is where I got my information from. Along with the part about hybrid NAT but that is for outbound traffic.

      I see your link it says

      To assign public IP addresses directly to hosts behind the firewall, a dedicated interface for those hosts must be bridged to WAN.

      So I am going to go with that. I mean if I am wrong I come back and grovel for more information. Thank you for your help I post a reply to let you and everyone know what happens.

      Again, thank you for the help I appreciate it.

      stephenw10S 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator @Understudy
        last edited by stephenw10

        @understudy said in Pfsense wan dmz apache vhosts public ips:

        To assign public IP addresses directly to hosts behind the firewall, a dedicated interface for those hosts must be bridged to WAN.
        So I am going to go with that.

        If your ISP is routing the /29 to you via the /32 WAN address then you don't need to bridge. And avoiding bridges is almost always preferable!

        It's unclear to me what IPs or subnets you actually have. What info has your provider actually given you?

        Steve

        UnderstudyU 1 Reply Last reply Reply Quote 1
        • UnderstudyU
          Understudy @stephenw10
          last edited by

          @stephenw10

          The ISP has it's gateway of .81
          I originally just had an IP of .87
          Then I got the range from .88 to .94 I don't believe anything was said about routing the range through .87 . It is just legacy from when I first starting using them. The .87 is a /32 so it is alone
          The range is .88-94/29 And that should all look for .81 (gateway) Which so far it has been doing.

          I chose to use the .87 for the WAN because it was a stand alone. The range .94/29 for the DMZ because it was a seemingly sensible idea setup.

          If I can avoid the bridge that would be great. So I will take any further advice, comments, or helpful links you can provide.

          Thank you again.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            If they are all using .81 as the gateway then they are all expecting to be in the same layer 2 segment as that. Hence you will need to use a bridge if you want to use those IPs on hosts in the DMZ directly.
            However that then isn't a /29 subnet. You probably will need to expand that on the clients to something that includes the gateway.
            The DMZ interface in pfSense should not have an IP address in that case. pfSense can only have IP address in a subnet.

            Steve

            UnderstudyU 1 Reply Last reply Reply Quote 1
            • UnderstudyU
              Understudy @stephenw10
              last edited by

              @stephenw10

              Then I will create the bridge and go at it that way. Thank you.

              Should I have to do anything with the DNS?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Clients will need to be statically configured for DNS. That could be the pfSense WAN IP as long as there are rules to allow that.
                However pfSense would then need to have it's own subnet mask on WAN expanded in order to reply back to clients directly. Otherwise it will try to use the gateway creating an asymmetric route.

                Steve

                UnderstudyU 1 Reply Last reply Reply Quote 1
                • UnderstudyU
                  Understudy @stephenw10
                  last edited by

                  @stephenw10

                  Okay, so things are looking good.

                  I know I have a ton of stuff to setup on the firewall but lets go over what I have here.

                  WAN xxx.xxx.xxx.94/29 up and working
                  LAN 192.168.1.1 up and working
                  DMZ up and working (no ip assigned)
                  Bridge0 up and working (no ip assigned) (WAN DMZ)

                  Firewall / Nat / Outbound
                  Outbound Nat Mode Hybrid
                  Mappings Do not NAT (enable)

                  Firewall / Rules / WAN
                  pass ICMP
                  pass DNS
                  pass 21, 22, 80, 443

                  LAN
                  Default ruleset

                  DMZ
                  No ruleset

                  Bridge0
                  No ruleset

                  I have tested on the LAN the standard items email, print, traffic out to internet. All is good.
                  On the Bridge0 I can see the web pages, I can also ssh in from remote location. ICMP works and the pages respond to DNS.

                  Overall this is a good start. I will close out this post if there is a special button or something I press I will do so.

                  Next up will be proper firewall rules , blocking, and logging.

                  Thank you for your help.

                  bingo600B 1 Reply Last reply Reply Quote 1
                  • bingo600B
                    bingo600 @Understudy
                    last edited by bingo600

                    @understudy

                    60c8ded7-99eb-4e6c-a1c9-f486e6aed1c0-image.png

                    Seems like you "live" within "this" /28

                    But why would you insist on using the public IP's in the DMZ , and having to resort to all kinds of "Trickery".

                    Why not use pfSense VIP's , that 1:1 nat into the DMZ ?

                    /Bingo

                    If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                    pfSense+ 23.05.1 (ZFS)

                    QOTOM-Q355G4 Quad Lan.
                    CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                    LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      There are somethings that just work better with real public IPs directly. There are somethings that are almost impossible to make work behind NAT. Mostly older PBX software in my experience.
                      I've setup bridged DMZ interfaces like this for in those situations.
                      However it has always been using IPs that are all in one larger subnet like the /28 shown. I suspect that must be the case here.

                      Steve

                      bingo600B 1 Reply Last reply Reply Quote 1
                      • bingo600B
                        bingo600 @stephenw10
                        last edited by

                        @stephenw10
                        You make a point there ...

                        I have a "Major Brand" PBX that absolutely won't work if NAT'ed.

                        /Bingo

                        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                        pfSense+ 23.05.1 (ZFS)

                        QOTOM-Q355G4 Quad Lan.
                        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                        1 Reply Last reply Reply Quote 0
                        • UnderstudyU Understudy referenced this topic on
                        • UnderstudyU Understudy referenced this topic on
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.