Setup DMZ with single public IP

pingelmonster

Dear PFSense users,

I have a question about setting up a DMZ in PfSense with a single public IP.
My PfSense-box contains three NIC's (WAN, LAN and DMZ).

There is one public IP-address available. My target is to setup the DMZ-network (172.16.10.0) to be fully public accessible at that IP.
I read about Virtual IP and 1:1 NAT but i'm not sure if this is what I need because I have only one public IP-address.

For sure I attached a drawing of my network to this post.
I hope for someone who can give me some advise.

Thanks in advance

Perry

http://doc.m0n0.ch/handbook-single/#id11642774

pingelmonster

@Perry:

http://doc.m0n0.ch/handbook-single/#id11642774

Perry, I've already used the search on the forum and of course I found and read the MonoWall manual.
It didn't answer my question as it describes to use Inbound NAT for mapping a single public IP to a DMZ host; the Inbound NAT-feature isn't available in PfSense.

Efonnes

Inbound NAT is the port forwards tab on pfSense.

pingelmonster

@Efonne:

Inbound NAT is the port forwards tab on pfSense.

So there isn't a way to fully map my DMZ-host to the Internet without simple portforwards?

GruensFroeschli

I'm not sure i understand, but how exactly do you imagine you can use the whole "private" subnet over a single public subnet?

Either you have a range of public IPs and map them 1:1 to your private ones, or you have a single public IP and forward ports to the various private servers.
There is no way to "setup the DMZ-network to be fully public accessible at that IP" if your DMZ is a private subnet.
(This is not a problem of pfSense but how networking works)

pingelmonster

Thanks for your explaination.
I understand the impossibility to map a whole subnet to a public IP.

I have one webserver in DMZ which I want to map direct to my single public IP..
I thought this is a known-situation and is been applied with many networks over the world

kpa

I believe pingelmonster refers to what cheap routers call a "DMZ" which is kind of 1:1 NAT from WAN interface to a single ip in the private network with certain ports excluded. PfSense does not support such "DMZ" however.

GruensFroeschli

Ah i see.
Well you can still map the complete range with normal port forwards.

But why would you need that?