Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setup DMZ with single public IP

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 5 Posters 7.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pingelmonster
      last edited by

      Dear PFSense users,

      I have a question about setting up a DMZ in PfSense with a single public IP.
      My PfSense-box contains three NIC's (WAN, LAN and DMZ).

      There is one public IP-address available. My target is to setup the DMZ-network (172.16.10.0) to be fully public accessible at that IP.
      I read about Virtual IP and 1:1 NAT but i'm not sure if this is what I need because I have only one public IP-address.

      For sure I attached a drawing of my network to this post.
      I hope for someone who can give me some advise.

      Thanks in advance

      1 Reply Last reply Reply Quote 0
      • P
        Perry
        last edited by

        http://doc.m0n0.ch/handbook-single/#id11642774

        /Perry
        doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • P
          pingelmonster
          last edited by

          @Perry:

          http://doc.m0n0.ch/handbook-single/#id11642774

          Perry, I've already used the search on the forum and of course I found and read the MonoWall manual.
          It didn't answer my question as it describes to use Inbound NAT for mapping a single public IP to a DMZ host; the Inbound NAT-feature isn't available in PfSense.

          1 Reply Last reply Reply Quote 0
          • E
            Efonnes
            last edited by

            Inbound NAT is the port forwards tab on pfSense.

            1 Reply Last reply Reply Quote 0
            • P
              pingelmonster
              last edited by

              @Efonne:

              Inbound NAT is the port forwards tab on pfSense.

              So there isn't a way to fully map my DMZ-host to the Internet without simple portforwards?

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                I'm not sure i understand, but how exactly do you imagine you can use the whole "private" subnet over a single public subnet?

                Either you have a range of public IPs and map them 1:1 to your private ones, or you have a single public IP and forward ports to the various private servers.
                There is no way to "setup the DMZ-network to be fully public accessible at that IP" if your DMZ is a private subnet.
                (This is not a problem of pfSense but how networking works)

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • P
                  pingelmonster
                  last edited by

                  Thanks for your explaination.
                  I understand the impossibility to map a whole subnet to a public IP.

                  I have one webserver in DMZ which I want to map direct to my single public IP..
                  I thought this is a known-situation and is been applied with many networks over the world

                  1 Reply Last reply Reply Quote 0
                  • K
                    kpa
                    last edited by

                    I believe pingelmonster refers to what cheap routers call a "DMZ" which is kind of 1:1 NAT from WAN interface to a single ip in the private network with certain ports excluded. PfSense does not support such "DMZ" however.

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      Ah i see.
                      Well you can still map the complete range with normal port forwards.

                      But why would you need that?

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.