Two DMZ share the same Gateway
-
Hello and thank you for reading my post. I have a problem setting up a second DMZ.
My standard Gateway is a normal VDSL Router, so all my traffic from different VLANs runs through that device. I have got a second SDSL Line 15mBit that I use for email, vpn and backup purpose.
My SDSL Line comes with 6 IP Adresses. E.g.
Network is 192.168.132.192/29
Host IPs go from 192.168.132.193 to 192.168.132.198. The first available address 192.168.132.193 serves as standard Gateway for this adress range.
Broadcast is on 192.168.132.199. So my mail and vpn services run on the IP 192.168.132.194. I put the server in a DMZ, created a second WAN interface, and a gateway. Works like charm.
Now, I would like to use the next IP-Adress 192.168.132.195 in a third wan gateway, to create another DMZ for a web-server. It is no problem to create the WAN interface, but I'm not able to choose the already existing upstream gateway. Pfsense refuses to use the same gateway a second time.
So now, I'm feeling a bit stumped here. Does anyone know a workaround for that problem, or even a solution how I could manipulate some conf-files to assign the right gateway a second time?
Thank you very much for your attention and kind regards.
MisterIX.
-
@MisterIX - Are you using NAT to your DMZs?
Assuming NAT is in use, I think you need another DMZ interface to make this work, not a WAN interface. Use the public IPs from the SDSL line and NAT from there to the existing DMZ. Assign another virtual IP to the WAN interface in your public range, and NAT to a different DMZ for the web server. As long as you don't allow traffic from one DMZ to the other, you should stay isolated.
If you need the web server and/or other servers to keep an actual public IP, and they're all in the same subnet, you're talking about transparent bridging.
-
Hello maglaubig,
thank you for your fast reply. Your answer sounds as if it would work, but I have difficulties understanding it completely.
First things first I'm using the pfsense in standard settings with automated nat functionality. Until now, I didn't try to work with 1:1 NAT or manual outbound NAT configuration, so all I use is normal port forwarding.
The second DMZ interface has already been created. I also understand, how I can create a virtual IP on my WAN2 interface and create NAT rules to forward incoming requests to the server in my second DMZ.
But my outgoing interface would allways be WAN2, so I would allways see my first IP Adress as public IP from every DMZ!?
I fear I'm missing out on something here… :-[
Kind regards, MisterIX.
-
I have multiple internal networks in my config so I disabled the automatic NAT config almost immediately after starting with pfSense, it wasn't what I needed in my case, may be the same for you. When I work on something new, I plan it out to make as many small incremental changes as possible and be able to test after making the config changes.
Port forwarding and NAT are going to work together if you have multiple services on the same port and don't want to change the external port traffic from the outside interface would have to use to access it. If you don't have multiple services a single NAT rule for the WAN2 interface would work, and has to be defined using the source DMZ network and then use the virtual IP as outbound NAT. You'll still need to create the port forwarding rules to allow traffic inbound though.
If you do have multiple services listening on the same port, you'll need the 1:1 NAT to allow for this. Folks I work with usually call this static NAT, might help you in searches for reference configs. The config will be similar, but your IP matching will be a single host (/32).
-
Hello maglaubig,
thank you again for your quick reply. I definetly have to plan this as a small project and install a test environment, as I don't want to test on my productive firewall.
Also I see the neccesity to study more about pfSense configuration possibillities concerning virtual IPs and NAT. Do you happen to know a good tutorial that might help me diving deeper into that topic?
Kind regards, MisterIX.
-
I'm not a sales guy, and this is totally going to sound like a pitch. A reference guide was the reason I paid for the Gold Membership. In my opinion, totally worth the price I paid having an overview of the feature set.
That said, there is a doc WIKI: https://doc.pfsense.org/
The categories view (contained in the above link): https://doc.pfsense.org/index.php/Special:Categories
Lastly the NAT view (again contained in the above link): https://doc.pfsense.org/index.php/Category:NAT
In those instances where I know what I want to do but don't know the technical term, Google searches on what I'm after usually get me close enough.
The pfSense forums have helped me out as well. I'm still pretty new to them, and trying to become more active. This really is a great product, especially for the SMB market I support in consulting. Looking forward to possibly using in enterprise spaces as well.