Please help with DMZ



  • I have pfsense 0.93 setup as follows:

    WAN: 67.153.177.34/27
    LAN : 192.168.0.1/24 w/ NAT
    DMZ: 67.153.177.43/27

    I am trying to set this up so that clients on the network are using NAT on the LAN interface and web server is using public IPs on DMZ interface. What else do I need to do to get the DMZ to work? Do I need to setup VirtualIPs? The web server is already setup to use the public IPs so I am planning on just switching it over to the firewall and be up and running. I have never setup a firewall to allow nodes to use public IPs this way. I have always used NAT.



  • Just configure your DMZ with public IP's.
    And create any needed rules.



  • I managed this by bridging the DMZ interface with the WAN interface and then creating firewall rules for it.



  • Bridging OPT1 with WAN was what I did and its, by far, one of the simplest configurations.  Be aware that this will make it impossible to configure CARP fail over.

    Alternatively you could use Proxy Arp, which would require some minor configuration of your DMZ machines.  This (I think) will also break CARP fail over, and frankly, I can't think of any good reason to use this solution verus bridging the two interfaces.

    Finally, you could alias a bunch of IP addresses to WAN and use 1:1 NAT.  This is the most intrusive solution in terms of configuring your DMZ machines, but it means you can use CARP failover without drama and would allow you to obscure the actual IP addresses of your DMZ machines.


Log in to reply