How to expose a local lan ip to the internet?

eagleeye · Jul 2, 2008, 1:36 PM

Hi
I am new to Pfsense and I have been looking for how to
create a 'simple Dmz' kind of setup.. like a cheap linksys router
where you can specify an IP for a 'DMZ' this IP is in the lan
say 192.168.1.101 and its fully exposed to the internet.

I have been searching through so many documents but
nothing seems to be talking about what I want to do..

I have created some firewall WAN rules that says
any protocol , any source, any port , goes to 192.168.1.101

However I did a remote desktop test to the WAN IP but
it did not work.

I need to do a couple of these kinds of setup to get things
going first. I don't care about security, I just want 2 IP.s
fully exposed to the internet.

Can someone help me on this?

Eagleeye?

Sh4 · Jul 2, 2008, 2:54 PM

Your rule will not put a dmz on the machine but instead route all traffic to this machine, however if it didn't work you probably did it the wrong way, I suspect the default rule blocking private networks traffic is blocking you for some reason.

Try it the proper way first by specifying a protocol and port number routed to your machine (ie the rdp port).

If you really want a DMZ the clean way is a dedicated DMZ interface since the wildcardeds rules will not interfere with the other machines of the same network.

sai · Jul 3, 2008, 5:18 AM

you will need to add a NAT rule also.

JeGr · Jul 3, 2008, 7:45 AM

That sounds like a job for a 1:1 NAT Rule..

(..and to hell with those "cheap router documentation" for using the word "DMZ" for sth like a 1:1 NAT or a fully exposed host. That has brought so many problems to customers I can't count them anymore >:()

eagleeye · Jul 3, 2008, 11:18 AM

@Grey:

That sounds like a job for a 1:1 NAT Rule..
…

Hi Thanks to all that helped, I will try it out later…

BTW 1:1 NAT does not allow ... to local IP. So it seems
there is no way to configure ANY IP to a local IP using 1:1 NAT.
Maybe you can elaborate, I am interested !

I have to use "linksys DMZ Host" until I find time to do it 'properly'

Eagleeye

blak111 · Jul 4, 2008, 1:50 AM

The 1:1 NAT will map all traffic from an outside address to an inside address regardless of where it comes from.

JeGr · Jul 4, 2008, 6:51 AM

That's what I thought he wanted when he was saying "expose 2 IPs to the internet". But now after reading it again I wonder, if he wants two internal IPs exposed to the internet (with only one external). That's a no go. You can't simply forward all traffic from the outside to two internal IPs - that would be like "copying" traffic and neither of the internal hosts would know if that traffic is meant for him.

eagleeye · Jul 5, 2008, 1:36 AM

@blak111:

The 1:1 NAT will map all traffic from an outside address to an inside address regardless of where it comes from.

Ah yes , thats what I thought, 1:1 NAT does NOT allow the specifying of ... as the Source IP
to the internal address of 192.168.1.11 for example.
Since the source user does NOT have a Fixed IP address this wont work.

OK I realize now that to have 2 IPs configured to have any incoming source
does not make sense because the FW will not know how to forward the traffic.

Eagleeye