How to create a DMZ VLAN with public ip addresses



  • Hello,

    I have the following scenario: My ISP provides me /28 network on my WAN interface. My pfsense box has 4 NICs, one is used for WAN, the rest are configured in LACP aggregation and are connected to a L3 Switch (but the inter-vlan-routing is done by pfsense). Currently I have got a DMZ VLAN interface which is configured with a private address 192.168.9.1/24 and use Virtual IPs (2) with Outbound (source) NAT and Port forwarding (DST NAT) to open certain ports to my public servers which are situated in the DMZ.

    That's great but currently I have to create another DMZ VLAN with which I'll be able to directly assign a public IP address to a host which is behind the firewall without any kind of natting.

    I would like to know how would you do with using pfsense as your main ISP router / firewall. Do you need any support from the ISP ?

    Thanks.

    PS: I've already checked the documentation and several similar topics but neither was related completely to my question.



  • I would like to know how would you do with using pfsense as your main ISP router / firewall. Do you need any support from the ISP?

    To build a DMZ with using VLANs, is so called a poor mans DMZ, for home usage or a school or perhaps a test environment this
    will be a opportunity, but in real life I would not walk that line or way! I would set up one port to be the WAN port and on port
    to the LAN switch (Layer3) and then two ports each to a DMZ switch (Layer2). And then one DMZ is acting over virtual IPs and
    the other DMZ is "open" and the public IP would be set up directly at the servers. If a single NIC or LAN/DMZ Port is not enough
    it might be going on if a LAG will be surrounding this bottleneck, but if only 4 LAN ports are there, I would try out to go ahead
    with 10 GBit/s ports. Pending on the small information's about the hardware that is here in use, it might be sounding strong but
    it is not really wise to guess here then something, could you provide more information about that hardware!?

    One single SFP+ NIC and a dual Port SFP+ NIC or just two dual SFP+ NICs will be here a nice option to get rid of the bottleneck
    and perhaps together with 10 GBit/s capable switches inside of the LAN and the two DMZs.


  • LAYER 8 Netgate

    I would like to know how would you do with using pfsense as your main ISP router / firewall. Do you need any support from the ISP ?

    The absolute best/proper thing to do is have the ISP assign a /29 to your WAN interface then route the /28 to an address on that. That address being your WAN interface address. (If they need you to justify the /29 tell them you need at least 3 addresses there for your High-Availability setup.)

    Then you just number the DMZ with the /28 (or a smaller subnet of that, leaving the rest for other purposes) and disable NAT for it. And you're done.

    Any other solution involves yucky things like Proxy ARP, 1:1 NAT, and bridging.



  • @Derelict:

    I would like to know how would you do with using pfsense as your main ISP router / firewall. Do you need any support from the ISP ?

    The absolute best/proper thing to do is have the ISP assign a /29 to your WAN interface then route the /28 to an address on that. That address being your WAN interface address. (If they need you to justify the /29 tell them you need at least 3 addresses there for your High-Availability setup.)

    Then you just number the DMZ with the /28 (or a smaller subnet of that, leaving the rest for other purposes) and disable NAT for it. And you're done.

    Any other solution involves yucky things like Proxy ARP, 1:1 NAT, and bridging.

    Thank you very much this was the answer of my question.


Log in to reply