Configuring DMZ hosting for my new pfsense , on my home router
-
Hello dear friends.
I want to set up a DMZ hosting area on my home router to which I will route the internet traffic from outside to the PFSENSE (I cannot set the home router to bridge mode). Does the IP address that I will enter in the DMZ area on the home router is the same WAN address that PFSENSE automatically received during the initial setup phase from the home router dhcp ? -
@johnytb If you set your pfSense WAN as the home/ISP router’s DMZ then it will forward all inbound connections to pfSense.
-
@SteveITS
Also all the network traffic that wasn't supposed to reach me? I mean the network traffic of the other residents of the house? -
@johnytb said in Configuring DMZ hosting for my new pfsense , on my home router:
Also all the network traffic that wasn't supposed to reach me? I mean the network traffic of the other residents of the house?
Well, since you pfsense is connected to the LAN, any other device on that LAN will be able to ping and try to access your pfsense WAN. But that's why you install pfsense there, as a way to separate you from all the other devices.
DMZ means anything on the internet trying to access the public IP on some port, will be forwarded to your pfsense WAN. Which makes it almost as if it is directly connected to the internet. But pfsense will then protect you from any and all access, local or external.
-
@Gblenn
Sure i want to separate myself from other LAN devices and i know pfsense will do it .
But im not talking about traffic from other LAN devices ( the other residents of the house) to my pfsense or to my new subnet . Sorry if I didn't explain myself properly.Im talking about other LAN devices will still be able to communicate with the internet ? because the ISP router will route all traffic to the DMZ zone
There's something about the DMZ concept that seems to confuse me.
Let's say there's a main home router that provides traffic to the home LAN. On this LAN there are 10 devices connected to it of all kinds (it doesn't matter what type at the moment). And when I configure one of these devices to remain outside the DMZ zone, will all the other 9 devices still be able to go out to the internet and receive internet traffic back as they wanted? -
@johnytb The DMZ setting on an ISP router is a bit of a misnomer. It forwards all unsolicited inbound traffic. Basically port forwarding all ports.
A traditional DMZ network is a separate isolated network from LAN that has one or more devices/servers in it.
Forwarding all ports doesn’t affect any outbound connections from any other device.
-
@johnytb said in Configuring DMZ hosting for my new pfsense , on my home router:
will all the other 9 devices still be able to go out to the internet and receive internet traffic back as they wanted?
As @SteveITS said, yes they will.
So do you have access to the mgmt interface of the router, and are you able to (allowed to) set your pfsense in DMZ? If so, then that will give the most "freedom" and will allow you to host games, and or other services.
-
@SteveITS
ok great. now i understand.
so.. about the firewall. Is it true that the basic and absolute principle of home networks firewalls is that all external Internet traffic is blocked? And only devices within the LAN that want to go out to the Internet will receive communication back over the same connection that they themselves created, right? -
@Gblenn
yes i can set DMZ zone on my ISP router ( i have the username and password for the router web console so I will do this without the house owners knowing hahaha ) .
and then ill set my pfsense wan ip in the DMZ zone and hope that the house owners and their family will still be able to do whatever they want on the internet or their TV .
i am not gonna host any service or games . nothing.
i just want to setup pfsense in my floor and separate myself from the owners poor security LAN , but without creating network disruptions for homeowners -
@johnytb So you don't need a dmz. No use.
-
@johnytb said in Configuring DMZ hosting for my new pfsense , on my home router:
so.. about the firewall. Is it true that the basic and absolute principle of home networks firewalls is that all external Internet traffic is blocked? And only devices within the LAN that want to go out to the Internet will receive communication back over the same connection that they themselves created, right?
Correct.
As @netblues says though if you are not hosting anything there is no need to forward ports to pfSense, thus no need for the DMZ setting...?
-
@netblues
Ok. So if my pfsense will keep stays behind my main isp router , and just act as an extra layer of protection, then why setting the main isp router to bridge-mode is recommended ??
I even read on one of the forums that the pfsense would have a really hard time functioning when the main router is not in bridge mode. is it true ? -
@johnytb No, it is not.
-
@netblues Ok thanks alot.
so what about bridge mode and why everyone keeps recommend for it ? what are the benefits of it ? -
@johnytb said in Configuring DMZ hosting for my new pfsense , on my home router:
@netblues Ok thanks alot.
so what about bridge mode and why everyone keeps recommend for it ? what are the benefits of it ?I think it is because as soon as you want to be able to access anything of your own stuff, smart home devices, music server etc, or play games you host for friends. You typically need to open up ports in pfsense, or use UPnP.
And setting the ISP router in bridge mode, pretty much removes that device from the equation giving you the public IP directly on pfsense WAN.
Having pfsense in DMZ will give you almost the same thing, but there are still some minor things that will not work, like UPnP for example.
-
@Gblenn said in Configuring DMZ hosting for my new pfsense , on my home router:
there are still some minor things that will not work, like UPnP for example.
As a matter of fact, upnp works with dmz, but you need to provide the external ip in upnp configuration.
Far too small print for the op though.
-
@netblues said in Configuring DMZ hosting for my new pfsense , on my home router:
As a matter of fact, upnp works with dmz, but you need to provide the external ip in upnp configuration.
Well, it does and it doesn't... For some applications it seem to work but for gaming, not so much...
In fact, with all the games I have tested in the Call of Duty series, none of them can connect when behind private IP, using STUN or providing outside IP. It's worse than having Strict NAT...The ONLY way I have managed to make it work is to fake a public IP on the WAN side of pfsense...
-
@Gblenn Cod is a beast on its own.Only port forward will do the trick, and isn't straight forward
-
@netblues Only port forward will get you half way... Static port is "the trick"...
-
@Gblenn Indeed, but still its port forward :)
p.s. Its been years since, but now I remembered