DMZ/NAT Questions



  • Hello pfSense Friends,

    I have sadly spent the last few hours figuring out how to make a DMZ.  My goal is to have one machine completely open as a sandbox so to speak, while isolating it entirely from all other machines on the network.  As well i'm a little unclear on NAT/portforwarding rules through DMZ, So i will still have to NAT from my WAN to OPT1 (DMZ), but i dont have to portforward anymore?  Would Bridging WAN+DMZ remove the need for portforwarding and is there any risks?  I think i've got it working, but wouldn't mind any advice or suggestions.  Anyone else have any experience with DMZ's they care to share?

    My Configurations (pfSense 2.x)

    Interfaces
    –--------
    WAN
    LAN 10.0.0.1/8              Running a switch with multiple client
    DMZ 192.168.2.1/24       Single client with cross-over cable

    Firewall (DMZ Rules)

    Rule    Protocol   Source      Port    Destination    Port           Gateway    Description
    Allow   UDP         DMZ net    *       10.0.0.1        53 (DNS)    *              Allow DNS
    Block   *            *              *       LAN net        *               *              Block LAN
    Allow   *            DMZ net     *       ! LAN net      *               *             Allow WAN

    DHCP Server (LAN)
    –---------------
    Range 10.0.0.10 to 10.0.0.245

    DHCP Server (DMZ)

    Range 192.168.2.0 to 192.168.2.10



  • Your second rule is redundant.

    If you bridge the DMZ to the WAN then your DMZ host is going to use whatever IP information your WAN was using. In other words, if the WAN was getting a public IP address from your ISP via dhcp and then you bridge the DMZ to it, your DMZ host is now going to get a public IP from the ISP (and the WAN should not).

    More likely I think what you're trying to do is just forward all the WAN ports to the DMZ host, which you can do with a single inbound NAT entry. If you want some ports to forward to LAN hosts then you just place those NAT rules above the catch-all DMZ NAT rule. For all NAT rules you'll likely want to automatically create a firewall rule as well, or just a pass-all rule on the WAN to the DMZ host.



  • Hi Clarknova.

    I am using port forward to my web hosting server.
    I retired all ports I needed to my server and is working when I tried from outside but … when I tried from inside my web pfsense from my default gateway pops up. So... I am not able to browse my inside website.

    firewall rule LAN any to any



  • Edydh, unless your problem is exactly the same as the one already discussed you should always start a fresh thread.

    In your case, please search for NAT reflection and start a fresh thread if you have further problems, to avoid your unrelated problem and CeilingKitten's problems being confused.


Locked