NAT to DMZ



  • Hello All,

    I have set up a Pfsense firewall with LAN, WAN and DMZ. I have 10 usable IP address. I am going to use 3 out of that for pfsense HA set up. I want the rest of the usable static IP address to be NATed to the DMZ servers. Is it possible or will I be forced to use only WAN IP in DMZ?
    ![pfsense layout.png](/public/imported_attachments/1/pfsense layout.png)
    ![pfsense layout.png_thumb](/public/imported_attachments/1/pfsense layout.png_thumb)


  • Netgate

    Sure. Make IP Alias VIPs on WAN (like you will make the CARP VIP for HA) and you can use them all for 1:1 NAT and port forwards as you like.

    You configure what address the hosts masquerade as for outbound connection in Outbound NAT.



  • Hi, I have done it but before doing NAT, I want to do a one way traffic from LAN to DMZ, In a way that LAN can ping and work on DMZ servers but all the packets from DMZ should be blocked towards LAN. Can you please help me with the rule set?


  • Netgate

    DMZ Rule:

    Reject any source DMZ net dest LAN net

    LAN Rule:

    Pass any source LAN net dest DMZ net



  • Thank you very much. let me try that


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy