4. Setup DMZ with single public IP

Setup DMZ with single public IP

  • P

    Dear PFSense users,

    I have a question about setting up a DMZ in PfSense with a single public IP.
    My PfSense-box contains three NIC's (WAN, LAN and DMZ).

    There is one public IP-address available. My target is to setup the DMZ-network (172.16.10.0) to be fully public accessible at that IP.
    I read about Virtual IP and 1:1 NAT but i'm not sure if this is what I need because I have only one public IP-address.

    For sure I attached a drawing of my network to this post.
    I hope for someone who can give me some advise.

    Thanks in advance

    0
  • P

    http://doc.m0n0.ch/handbook-single/#id11642774

    0
  • P

    @Perry:

    http://doc.m0n0.ch/handbook-single/#id11642774

    Perry, I've already used the search on the forum and of course I found and read the MonoWall manual.
    It didn't answer my question as it describes to use Inbound NAT for mapping a single public IP to a DMZ host; the Inbound NAT-feature isn't available in PfSense.

    0
  • S

    Inbound NAT is the port forwards tab on pfSense.

    0
  • P

    @Efonne:

    Inbound NAT is the port forwards tab on pfSense.

    So there isn't a way to fully map my DMZ-host to the Internet without simple portforwards?

    0

  • I'm not sure i understand, but how exactly do you imagine you can use the whole "private" subnet over a single public subnet?

    Either you have a range of public IPs and map them 1:1 to your private ones, or you have a single public IP and forward ports to the various private servers.
    There is no way to "setup the DMZ-network to be fully public accessible at that IP" if your DMZ is a private subnet.
    (This is not a problem of pfSense but how networking works)

    0
  • P

    Thanks for your explaination.
    I understand the impossibility to map a whole subnet to a public IP.

    I have one webserver in DMZ which I want to map direct to my single public IP..
    I thought this is a known-situation and is been applied with many networks over the world

    0
  • K

    I believe pingelmonster refers to what cheap routers call a "DMZ" which is kind of 1:1 NAT from WAN interface to a single ip in the private network with certain ports excluded. PfSense does not support such "DMZ" however.

    0

  • Ah i see.
    Well you can still map the complete range with normal port forwards.

    But why would you need that?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy