Correct DMZ setup

  • This is a repost of a thread on the NAT board. I've locked that topic and am reposting here because this is properly a routing question. I'm trying to figure out the best way to setup a DMZ network. The network design is attached but I'm having a problem with how to configure my pfsense instances.

    My question is specifically about a web server in the DMZ network. If I make the default gateway on that box point toward the internal PFsense at I can poll the server internally but not externally through the 1:1 NAT I've setup on the external PFsense at If I point the webserver toward the external PFSense at I can access the server through the 1:1 NAT on the external PFsense but can't access anything on that box from the internal Firewall. Everytime the logs are littered with TCP:S which leads me to believe….I don't know what to believe at this point.

  • The default gateway should be the external firewall.
    For the internal LAN subnet you have to add a static route to the web server pointing to the internal firewall.

  • That's what I thought but when I do that I can't connect to anything TCP related from the internal network. Probably not related but OSPF is the routing protocol of choice between the corporate environment and the internal firewall. Are you saying add a route on the actual windows box using "net add….."?

  • OK, I've got it working with static routes. I configured a WAN & a LAN gateway on the external pfsense and created a Static Route for my workstation's subnet on the external pfsense pointing it back to the LAN gateway. Everything works smoothly. If I delete that static route and install Quagga OSPF, configure the LAN interface on the external box, my ICMP packets go through fine and I'm able to ping anything on the DMZ subnet but nothing TCP related goes through. I've got a simple webserver serving up a "Hello World' page. With the static route I'm able to see the page. With OSPF, I get nothing, it doesn't go thru

  • Netgate

    Putting servers between two routers like that is a horrible, horrible design. That DMZ should be an interface off one of the firewalls.

  • @Derelict:

    Putting servers between two routers like that is a horrible, horrible design. That DMZ should be an interface off one of the firewalls.

    Derelict, I'm curious to know why. I'm working with an existing design but probably have some latitude to change it. You think it should be like this?

    ![2017-03-28 08_24_14-Drawing1 - Visio Professional.png](/public/imported_attachments/1/2017-03-28 08_24_14-Drawing1 - Visio Professional.png)
    ![2017-03-28 08_24_14-Drawing1 - Visio Professional.png_thumb](/public/imported_attachments/1/2017-03-28 08_24_14-Drawing1 - Visio Professional.png_thumb)

  • Netgate

    Because, as you are finding out, the servers need to know how to route the different traffic. They can't just have a default gateway. You end up with asymmetric routing, hairpinning, NAT reflection, etc.

    Yes. That looks much, much better. Note that the web server no longer has any routing decisions to make. It just sends everything to the inside firewall and it makes all those decisions for it.