NAT to DMZ



  • Hello All,

    I have set up a Pfsense firewall with LAN, WAN and DMZ. I have 10 usable IP address. I am going to use 3 out of that for pfsense HA set up. I want the rest of the usable static IP address to be NATed to the DMZ servers. Is it possible or will I be forced to use only WAN IP in DMZ?
    ![pfsense layout.png](/public/imported_attachments/1/pfsense layout.png)
    ![pfsense layout.png_thumb](/public/imported_attachments/1/pfsense layout.png_thumb)


  • Netgate

    Sure. Make IP Alias VIPs on WAN (like you will make the CARP VIP for HA) and you can use them all for 1:1 NAT and port forwards as you like.

    You configure what address the hosts masquerade as for outbound connection in Outbound NAT.



  • Hi, I have done it but before doing NAT, I want to do a one way traffic from LAN to DMZ, In a way that LAN can ping and work on DMZ servers but all the packets from DMZ should be blocked towards LAN. Can you please help me with the rule set?


  • Netgate

    DMZ Rule:

    Reject any source DMZ net dest LAN net

    LAN Rule:

    Pass any source LAN net dest DMZ net



  • Thank you very much. let me try that



  • Hello Derelict,

    I tried this rule. But I am not able to even ping the DMZ servers from LAN


  • Netgate

    Then it is something else.

    First, post the LAN rule set.

    Second, check the LOCAL firewalls on the DMZ servers themselves to be sure they will allow traffic from foreign subnets.

    Quick test that the rules are correct is pinging the DMZ address on the firewall from something on LAN.



  • Hello Derelict,

    It is working fine now. I configured some new servers and it works charm.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy