2 WANs, DMZ and one LAN

  • Hi

    I'm trying to set up a pfsense box that contains both the LAN for my clients and It must contain a DMZ for some services that we want to publish outside. For that, we have 2 routers, one of then contains a fixed IP while the other contains a dynamic IP address. Currently I'm using a quar port broadcom card, the setup is the following:

    • ETH1 is connected to the WAN_LAN (Wan with dynamic IP)

    • ETH2 is connected to the WAN_DMZ (Wan with static IP)

    • ETH3 is connected to the LAN, this is, to a 48 port switch where APs and clients are connected, the IP adress is of type 172.26.0.x

    • ETH4 is currently free

    • Pfsense is also configured as DHCP server, so clients in ETH3 can connect to the internet

    The idea is that:

    • Open some ports in WAN_DMZ so that some internal services are exposed
    • I can, using one of the clients connected to the LAN, connect to the DMZ service machines for maintenance
    • from WAN_DMZ there is no way to access to our clients in LAN
    • WAN_LAN is just for internet access, no service is exposed there, also the ISP changes the exposed IP time to time

    Please give me a resume with the setup, I've never setup a DMZ.


  • Setup the dmz like another lan on eth4. Use forwards from wan2 for services. Use rules on the dmzlan interface to restrict traffic.

  • Ok, I have only one switch, hopefully It's a good one, a cisco, managed switch, so should I set up the switch with different vlans?, if so, which ip ranges can I give to this landmz?


  • You can create a vlan on the switch and set several ports native to that vlan. This will effectively divide the switch. You can give the interface any rfc1918 address you want, like a 10.x.x.x

Log in to reply