Noob question (DMZ?/NAT?) sorry if wrong section



  • Hi all,
    I've been running pfsense for a few months now, and it seems pretty good. But I have a question.
    I want to be able to tell pfsense an IP not to block access too (i.e. my nintendo DS can't access the internet properly, and be nice if I could un-firewall my voip box too).
    I've no idea what settings I should be looking at. I've heard it refered to as both NAT and DMZ. I've tried messign around with NAT 1:1 settings, virtual ips and all sorts, but nothing seems to work.
    I have a basic setup as follows:
    pfsense (rc3) with WAN going in and one LAN interface
    LAN interface goes into primary harware switch where pcs come off.
    Secondary switch comes off primary switch which has other pcs/tech including wireless adapter and voip box.
    pfsense is setup to act as a DHCP server, although most of the tech I've setup with stattic mapping.

    I've tried reading through posts here by searching for dmz and nat etc, but I'm not even sure if these are what I want, and most of the topics seem FAR more complicated than my pretty simple setup.
    Any ideas what I need to be looking into?



  • You only have 2 interfaces (LAN/WAN). Classical SOHO Routers have an option called "DMZ IP" which means they just forward everything coming in at WAN to this IP. If an intruder get's access to the host on this IP he's inside your LAN. If you want to do it this way just add portforwards at firewall>nat, portforward to this single IP. I doubt that you need all available ports and protocols to be forwarded. This scenario can only work for one dedicated IP.

    If you want to have a "real" DMZ you should set it up like in this guide: http://doc.m0n0.ch/handbook-single/#id2604955



  • Thanks for such a fast reply.
    I've already used port forwarding for other things (i.e. one game, and voip ports for the voip box), so is it just best to keep doing that, or to setup a DMZ? I really don't know the benefits.
    Anyway, I tried to follow that tutorial, but got halted almost straight away as it says to click on a '+' next to the interfaces on the assign menu, but I have no '+' of any form. It looks fairly similar to the screenshot asides from that. I've tried firefox and ie and neither show a '+'



  • You only will see the +icon if there is an unassigned interface. You need a 3rd nic for the scenario from the tutorial. If simple portforwards work for you you should just use it.


Log in to reply