Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT and DMZ with an IP subnet

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 755 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cuco
      last edited by

      Hi

      We are trying to migrate from our Ubuntu-12.04-based firewall/gateway to a pfSense based one. We have basically the setup shown in the attachment.

      I anonymised the IP addresses, so only the last digits are correct.

      Our ISP has a gateway to the internet, the IP is 1.2.3.62. We can use the IP subnet 1.2.3.0/27 (1.2.3.0-1.2.3.31). These are public IPs.

      At the moment we connect to the ISP on the first network interface and don't set an IP on this interface, just the default gateway (1.2.3.62). On the second interface we have a LAN with private IP addresses, so our gateway/router has the IP 192.168.0.1 on this interface and offers IP addresses via DHCP to all connected clients and NATs the connections.
      On the third interface the gateway is connected to a DMZ, where about two dozens of servers are connected. They all have public IPs from the 1.2.3.0/27 range. The gateway itself also has three public IPs from this range on this port. It uses proxy-arp.

      We now want to migrate to pfSense using a similar setup. No 1:1 NAT, because I don't have access to all servers and they are using the public IPs.

      I have tried to configure the same, so no IP address on the WAN-interface (just a default gateway) and NATing over one of the three public IP adresses on the DMZ interface. But this seems to be not possible with pfSense/OpenBSD… But I can't set public IP addresses to the WAN interface, because pfSense complains, that this interferes with the Proxy-ARP setting (1.2.3.0/27) for the DMZ interface. I also can't split the network into two /28 networks.

      Do you have an idea how to get this setup running?
      pfSense.png
      pfSense.png_thumb

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        The proper way to do it is to get your ISP to give you a /30 for your WAN and ROUTE the /27 to your WAN address there. You would then just assign the /27 to an inside interface, put your servers there, and be done.

        To do what you want you will need to bridge two interfaces and place your servers on one bridge member and your WAN on another.

        https://doc.pfsense.org/index.php/Interface_Bridges

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • K
          kpa
          last edited by

          Your current set up uses a Linux specific hack that is not supported on FreeBSD and therefor not on pfSense either.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.