DMZ – how do I setup incoming/outgoing for VLANs?



  • My DMZ interface on pfSense is 10.0.0.1.

    I have several machines that need to go in/out of this interface but they are across different subnets/VLANs…

    Server 1: 10.0.0.50 (VLAN1)
    Server2:  10.0.1.50 (VLAN2)
    Server3:  10.0.2.50 (VLAN3)

    Where do I start?  I am new to pfSense and could use some help setting this up!

    Thanks!



  • Interface –> Assign --> VLANs
    Create the needed VLANs on the physical interfaces.

    After you created the VLANs you can assign them under
    Interface --> Assign
    and the VLANs will appear as a new interface.

    Please dont mix VLAN traffic and untagged traffic on the same physical interface.

    BAD example
    interfaces: vr0
    LAN: vr0
    OPT1 vlan10 on vr0
    OPT2 vlan20 on vr0
    OPT3 vlan30 on vr0

    good example
    interfaces: vr0, vr1
    LAN: vr0
    OPT1 vlan10 on vr1
    OPT2 vlan20 on vr1
    OPT3 vlan30 on vr1





  • Wow! Thanks for the quick response!

    Maybe I am thinking about this the wrong way?

    I have some VMWare VMs that I am trying to keep separated (not able to see each other).

    I figured VLAN was a good way to do this…

    I setup my first VM with an IP address of 10.0.1.1.  It is currently attached to the DMZ interface on the pfSense box through a switch.  But I can't get it out to the internet...

    When I try to ping 10.0.0.1 (DMZ interface IP) it says "network not found"?

    Is there a better/easier way to accomplish what I want to do?





  • HEY THANKS FOR THE INFO!

    So my DMZ IP address is 10.0.0.1. 
    My VLAN 100 is subnet 10.0.1.x

    When I setup some Linux Servers on VLAN 100, can  I use 10.0.0.1 as the default gateway?  Can I also use 10.0.0.1 as the DNS server address?

    I wonder if you could help me with 1 more thing… I am used to setting up 1:1 NATs on a commercial firewall (cough sonicwall cough) ...

    I wonder how I do 1:1 NAT with pfSense... I gave it a whirl and it didn't work quite right?

    Basically I just need to forward a public IP straight to the DMZ private IP (on the VLANS you helped me setiup above)....

    I have a block of 8 public IPs coming in my WAN port so I think I need to setup what pfSense refers to as a "virtual IP" for each of my public IPs  (that is not the WAN IP address)?

    How is the best way to forward ALL traffic from a PUBLIC IP straight to the DMZ private IP? (each server is hardend with it's own built in firewall)...

    Thanks again for the help!


Log in to reply