Setup DMZ with single public IP
-
Dear PFSense users,
I have a question about setting up a DMZ in PfSense with a single public IP.
My PfSense-box contains three NIC's (WAN, LAN and DMZ).There is one public IP-address available. My target is to setup the DMZ-network (172.16.10.0) to be fully public accessible at that IP.
I read about Virtual IP and 1:1 NAT but i'm not sure if this is what I need because I have only one public IP-address.For sure I attached a drawing of my network to this post.
I hope for someone who can give me some advise.Thanks in advance
-
http://doc.m0n0.ch/handbook-single/#id11642774
-
http://doc.m0n0.ch/handbook-single/#id11642774
Perry, I've already used the search on the forum and of course I found and read the MonoWall manual.
It didn't answer my question as it describes to use Inbound NAT for mapping a single public IP to a DMZ host; the Inbound NAT-feature isn't available in PfSense. -
Inbound NAT is the port forwards tab on pfSense.
-
@Efonne:
Inbound NAT is the port forwards tab on pfSense.
So there isn't a way to fully map my DMZ-host to the Internet without simple portforwards?
-
I'm not sure i understand, but how exactly do you imagine you can use the whole "private" subnet over a single public subnet?
Either you have a range of public IPs and map them 1:1 to your private ones, or you have a single public IP and forward ports to the various private servers.
There is no way to "setup the DMZ-network to be fully public accessible at that IP" if your DMZ is a private subnet.
(This is not a problem of pfSense but how networking works) -
Thanks for your explaination.
I understand the impossibility to map a whole subnet to a public IP.I have one webserver in DMZ which I want to map direct to my single public IP..
I thought this is a known-situation and is been applied with many networks over the world -
I believe pingelmonster refers to what cheap routers call a "DMZ" which is kind of 1:1 NAT from WAN interface to a single ip in the private network with certain ports excluded. PfSense does not support such "DMZ" however.
-
Ah i see.
Well you can still map the complete range with normal port forwards.But why would you need that?