Setup DMZ with single public IP

  • Dear PFSense users,

    I have a question about setting up a DMZ in PfSense with a single public IP.
    My PfSense-box contains three NIC's (WAN, LAN and DMZ).

    There is one public IP-address available. My target is to setup the DMZ-network ( to be fully public accessible at that IP.
    I read about Virtual IP and 1:1 NAT but i'm not sure if this is what I need because I have only one public IP-address.

    For sure I attached a drawing of my network to this post.
    I hope for someone who can give me some advise.

    Thanks in advance

  • @Perry:

    Perry, I've already used the search on the forum and of course I found and read the MonoWall manual.
    It didn't answer my question as it describes to use Inbound NAT for mapping a single public IP to a DMZ host; the Inbound NAT-feature isn't available in PfSense.

  • Inbound NAT is the port forwards tab on pfSense.

  • @Efonne:

    Inbound NAT is the port forwards tab on pfSense.

    So there isn't a way to fully map my DMZ-host to the Internet without simple portforwards?

  • I'm not sure i understand, but how exactly do you imagine you can use the whole "private" subnet over a single public subnet?

    Either you have a range of public IPs and map them 1:1 to your private ones, or you have a single public IP and forward ports to the various private servers.
    There is no way to "setup the DMZ-network to be fully public accessible at that IP" if your DMZ is a private subnet.
    (This is not a problem of pfSense but how networking works)

  • Thanks for your explaination.
    I understand the impossibility to map a whole subnet to a public IP.

    I have one webserver in DMZ which I want to map direct to my single public IP..
    I thought this is a known-situation and is been applied with many networks over the world

  • I believe pingelmonster refers to what cheap routers call a "DMZ" which is kind of 1:1 NAT from WAN interface to a single ip in the private network with certain ports excluded. PfSense does not support such "DMZ" however.

  • Ah i see.
    Well you can still map the complete range with normal port forwards.

    But why would you need that?

Log in to reply