Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ with public addresses

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 668 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      fsits
      last edited by

      I need help setting up a DMZ in a XG-7100 router. We have 13 public IP addresses that are used for public servers, one is assigned to the WAN the others are in the DMZ.
      I need to section one of the Ethernet ports to assign as a DMZ then add the public servers there. I have tried numerous things but failed to gt the DMZ traffic working.
      Anyone in Houston, TX willing to come by and help? let me know your rate and disposition.

      1 Reply Last reply Reply Quote 0
      • KOMK Offline
        KOM
        last edited by

        This shouldn't be too hard. Get your DMZ working first. It's just an interface like any other, but you want to put rules in place so that DMZ clients are prevented from accessing LAN or any other interface other than WAN. Remember that all interfaces beyond WAN/LAN need to have rules added or no traffic will flow whatsoever.

        Create Virtual IPs (IP Alias) for all of your public addresses except the one you will use for WAN.

        Create a port-ward for your first server:
        https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

        Check to see if it works by accessing it from WAN, not LAN. Use your phone with wifi disabled, for example. Accessing it from LAN by using its WAN address is not the best way to test it.

        if it doesn't work, troubleshoot it:
        https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
        https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

        If you want to access your servers via their WAN address, you will need NAT reflection or split DNS:
        https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

        Do it step by step. Ask questions here if you need to. Post screenshots of what you have done.

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          The best option for you is a routed subnet that can be placed on an interface behind the router. What they should have provisioned for you is something like a /29 on the interface and the /28 routed to you on that. Then you would be golden.

          If you have an interface /28 on WAN and want to use those addresses for servers behind it, the best option is to either port forward or use 1:1 NAT.

          The only other option is some sort of filtering bridge.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • F Offline
            fsits
            last edited by

            I can't get it to work, is anyone in Houston willing to come to my office and guide me on this?

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              What have you done?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.