Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Please help with DMZ

    Installation and Upgrades
    3
    4
    4029
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      smoked1 last edited by

      I have pfsense 0.93 setup as follows:

      WAN: 67.153.177.34/27
      LAN : 192.168.0.1/24 w/ NAT
      DMZ: 67.153.177.43/27

      I am trying to set this up so that clients on the network are using NAT on the LAN interface and web server is using public IPs on DMZ interface. What else do I need to do to get the DMZ to work? Do I need to setup VirtualIPs? The web server is already setup to use the public IPs so I am planning on just switching it over to the firewall and be up and running. I have never setup a firewall to allow nodes to use public IPs this way. I have always used NAT.

      1 Reply Last reply Reply Quote 0
      • L
        lsf last edited by

        Just configure your DMZ with public IP's.
        And create any needed rules.

        -lsf

        1 Reply Last reply Reply Quote 0
        • S
          smoked1 last edited by

          I managed this by bridging the DMZ interface with the WAN interface and then creating firewall rules for it.

          1 Reply Last reply Reply Quote 0
          • ?
            Guest last edited by

            Bridging OPT1 with WAN was what I did and its, by far, one of the simplest configurations.  Be aware that this will make it impossible to configure CARP fail over.

            Alternatively you could use Proxy Arp, which would require some minor configuration of your DMZ machines.  This (I think) will also break CARP fail over, and frankly, I can't think of any good reason to use this solution verus bridging the two interfaces.

            Finally, you could alias a bunch of IP addresses to WAN and use 1:1 NAT.  This is the most intrusive solution in terms of configuring your DMZ machines, but it means you can use CARP failover without drama and would allow you to obscure the actual IP addresses of your DMZ machines.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post