Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense wan dmz apache vhosts public ips

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • UnderstudyU
      Understudy
      last edited by

      Hi All,

      I am coming across something that seems to be a bit hard to nail down. I have created a pfsense server with some equipment I have. So I have set up a WAN, LAN, and DMZ nic setup. Please note all IPs behind DMZ are static. DHCPD is only on LAN interface for interoffice setups.

      Wan Public IP interface xxx.xxx.xxx.87/32
      Lan Private IP interface 192.168.1.1/24
      DMZ Public IP interface xxx.xxx.xxx.94/29
      Gateway is xxx.xxx.xxx.81 and outside of range.

      DNS is setup on a remote server provided by hosting company.

      Server 1 behind DMZ xxx.xxx.xxx.93 is a web server with apache and vhosts (several websites one ip on server with apache virtual hosting). Ports used are http, https, ssh, ftp( when made active), icmp.

      Server 2 behind DMZ xxx.xxx.xxx.92 is a file storage server that is accessed via ssh

      Server 3 behind DMZ xxx.xxx.xxx.91 is a backup server that is accessed via ssh.

      Switch 1 behind DMZ xxx.xxx.xxx.88 is a managed switch that is access via ssh.

      Here is where things get fun. I am not doing nat. The public IPs are on the servers and should remain as such. I am not port forwarding as the ports do not need to be forwarded.

      I have seen everything on how to set this up if you nat or run a private ip range on the DMZ . Everything except what happens when you have public IPs on the servers.

      So my guess is from what I have read is the following:

      WAN set firewall rules
      pass icmp echoreq
      pass 21 ftp tcp (server turns this off when not needed)
      pass ssh 22 tcp
      pass dns 53 tcp/udp
      pass http 80 tcp
      pass https 443 tcp

      the temp ports on some setups
      pass 81 tcp
      pass 8080 tcp

      Currently there are no separate vlans behind the DMZ and no special connections to the LAN from the DMZ. I will deal with that later.

      Question 1
      Will this work for making sure the servers can be seen on the internet?

      Question 2
      Do I need to do anything with DNS in pfsense to make sure the servers are accessible to the web?

      Thank you in advance for your help in this matter.

      If this post needs to be formatted differently please let me know and I will correct it.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Do those xxx.xxx.xxx all represent the same prefix?

        .88 is the network address for that /29 and should not be used directly like that. .89 is the first usable address.

        That will work as long as your provider is routing xxx.xxx.xxx.88/29 to you via xxx.xxx.xxx.87

        If they have simply provided a /29 sized range of IPs on the WAN directly then you would have to bridge WAN and DMZ or use VIPs and port forwards.

        See: https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html#additional-static-ip-addresses

        Steve

        UnderstudyU 1 Reply Last reply Reply Quote 1
        • UnderstudyU
          Understudy @stephenw10
          last edited by

          @stephenw10

          Thank you for the reply.

          Yes, the xxx.xxx.xxx. all represent the same prefix but I only receive the /29 range based on the last octet.

          The .87 IP address was to give the WAN it's own IP
          The .94 is a /29 that does not include the .87 which is a /32

          Because the WAN and the DMZ can't be on the same subnet.

          Error received when that attempt was made.
          The following input errors were detected:

          IPv4 address xxx.xxx.xxx.88/29 is being used by or overlaps with: DMZ (xxx.xxx.xxx.94/29)
          This IPv4 address is the network address and cannot be used
          

          I appreciate the link. This is what I was reading in the documents.
          https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html

          And the section titled IP assignments is where I got my information from. Along with the part about hybrid NAT but that is for outbound traffic.

          I see your link it says

          To assign public IP addresses directly to hosts behind the firewall, a dedicated interface for those hosts must be bridged to WAN.

          So I am going to go with that. I mean if I am wrong I come back and grovel for more information. Thank you for your help I post a reply to let you and everyone know what happens.

          Again, thank you for the help I appreciate it.

          stephenw10S 1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator @Understudy
            last edited by stephenw10

            @understudy said in Pfsense wan dmz apache vhosts public ips:

            To assign public IP addresses directly to hosts behind the firewall, a dedicated interface for those hosts must be bridged to WAN.
            So I am going to go with that.

            If your ISP is routing the /29 to you via the /32 WAN address then you don't need to bridge. And avoiding bridges is almost always preferable!

            It's unclear to me what IPs or subnets you actually have. What info has your provider actually given you?

            Steve

            UnderstudyU 1 Reply Last reply Reply Quote 1
            • UnderstudyU
              Understudy @stephenw10
              last edited by

              @stephenw10

              The ISP has it's gateway of .81
              I originally just had an IP of .87
              Then I got the range from .88 to .94 I don't believe anything was said about routing the range through .87 . It is just legacy from when I first starting using them. The .87 is a /32 so it is alone
              The range is .88-94/29 And that should all look for .81 (gateway) Which so far it has been doing.

              I chose to use the .87 for the WAN because it was a stand alone. The range .94/29 for the DMZ because it was a seemingly sensible idea setup.

              If I can avoid the bridge that would be great. So I will take any further advice, comments, or helpful links you can provide.

              Thank you again.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                If they are all using .81 as the gateway then they are all expecting to be in the same layer 2 segment as that. Hence you will need to use a bridge if you want to use those IPs on hosts in the DMZ directly.
                However that then isn't a /29 subnet. You probably will need to expand that on the clients to something that includes the gateway.
                The DMZ interface in pfSense should not have an IP address in that case. pfSense can only have IP address in a subnet.

                Steve

                UnderstudyU 1 Reply Last reply Reply Quote 1
                • UnderstudyU
                  Understudy @stephenw10
                  last edited by

                  @stephenw10

                  Then I will create the bridge and go at it that way. Thank you.

                  Should I have to do anything with the DNS?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Clients will need to be statically configured for DNS. That could be the pfSense WAN IP as long as there are rules to allow that.
                    However pfSense would then need to have it's own subnet mask on WAN expanded in order to reply back to clients directly. Otherwise it will try to use the gateway creating an asymmetric route.

                    Steve

                    UnderstudyU 1 Reply Last reply Reply Quote 1
                    • UnderstudyU
                      Understudy @stephenw10
                      last edited by

                      @stephenw10

                      Okay, so things are looking good.

                      I know I have a ton of stuff to setup on the firewall but lets go over what I have here.

                      WAN xxx.xxx.xxx.94/29 up and working
                      LAN 192.168.1.1 up and working
                      DMZ up and working (no ip assigned)
                      Bridge0 up and working (no ip assigned) (WAN DMZ)

                      Firewall / Nat / Outbound
                      Outbound Nat Mode Hybrid
                      Mappings Do not NAT (enable)

                      Firewall / Rules / WAN
                      pass ICMP
                      pass DNS
                      pass 21, 22, 80, 443

                      LAN
                      Default ruleset

                      DMZ
                      No ruleset

                      Bridge0
                      No ruleset

                      I have tested on the LAN the standard items email, print, traffic out to internet. All is good.
                      On the Bridge0 I can see the web pages, I can also ssh in from remote location. ICMP works and the pages respond to DNS.

                      Overall this is a good start. I will close out this post if there is a special button or something I press I will do so.

                      Next up will be proper firewall rules , blocking, and logging.

                      Thank you for your help.

                      bingo600B 1 Reply Last reply Reply Quote 1
                      • bingo600B
                        bingo600 @Understudy
                        last edited by bingo600

                        @understudy

                        60c8ded7-99eb-4e6c-a1c9-f486e6aed1c0-image.png

                        Seems like you "live" within "this" /28

                        But why would you insist on using the public IP's in the DMZ , and having to resort to all kinds of "Trickery".

                        Why not use pfSense VIP's , that 1:1 nat into the DMZ ?

                        /Bingo

                        If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                        pfSense+ 23.05.1 (ZFS)

                        QOTOM-Q355G4 Quad Lan.
                        CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                        LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          There are somethings that just work better with real public IPs directly. There are somethings that are almost impossible to make work behind NAT. Mostly older PBX software in my experience.
                          I've setup bridged DMZ interfaces like this for in those situations.
                          However it has always been using IPs that are all in one larger subnet like the /28 shown. I suspect that must be the case here.

                          Steve

                          bingo600B 1 Reply Last reply Reply Quote 1
                          • bingo600B
                            bingo600 @stephenw10
                            last edited by

                            @stephenw10
                            You make a point there ...

                            I have a "Major Brand" PBX that absolutely won't work if NAT'ed.

                            /Bingo

                            If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

                            pfSense+ 23.05.1 (ZFS)

                            QOTOM-Q355G4 Quad Lan.
                            CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
                            LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

                            1 Reply Last reply Reply Quote 0
                            • UnderstudyU Understudy referenced this topic on
                            • UnderstudyU Understudy referenced this topic on
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.