Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ/NAT Questions

    Firewalling
    4
    4
    2.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CeilingKitten
      last edited by

      Hello pfSense Friends,

      I have sadly spent the last few hours figuring out how to make a DMZ.  My goal is to have one machine completely open as a sandbox so to speak, while isolating it entirely from all other machines on the network.  As well i'm a little unclear on NAT/portforwarding rules through DMZ, So i will still have to NAT from my WAN to OPT1 (DMZ), but i dont have to portforward anymore?  Would Bridging WAN+DMZ remove the need for portforwarding and is there any risks?  I think i've got it working, but wouldn't mind any advice or suggestions.  Anyone else have any experience with DMZ's they care to share?

      My Configurations (pfSense 2.x)

      Interfaces
      –--------
      WAN
      LAN 10.0.0.1/8              Running a switch with multiple client
      DMZ 192.168.2.1/24       Single client with cross-over cable

      Firewall (DMZ Rules)

      Rule    Protocol   Source      Port    Destination    Port           Gateway    Description
      Allow   UDP         DMZ net    *       10.0.0.1        53 (DNS)    *              Allow DNS
      Block   *            *              *       LAN net        *               *              Block LAN
      Allow   *            DMZ net     *       ! LAN net      *               *             Allow WAN

      DHCP Server (LAN)
      –---------------
      Range 10.0.0.10 to 10.0.0.245

      DHCP Server (DMZ)

      Range 192.168.2.0 to 192.168.2.10

      1 Reply Last reply Reply Quote 0
      • C
        clarknova
        last edited by

        Your second rule is redundant.

        If you bridge the DMZ to the WAN then your DMZ host is going to use whatever IP information your WAN was using. In other words, if the WAN was getting a public IP address from your ISP via dhcp and then you bridge the DMZ to it, your DMZ host is now going to get a public IP from the ISP (and the WAN should not).

        More likely I think what you're trying to do is just forward all the WAN ports to the DMZ host, which you can do with a single inbound NAT entry. If you want some ports to forward to LAN hosts then you just place those NAT rules above the catch-all DMZ NAT rule. For all NAT rules you'll likely want to automatically create a firewall rule as well, or just a pass-all rule on the WAN to the DMZ host.

        db

        1 Reply Last reply Reply Quote 0
        • E
          Edydh
          last edited by

          Hi Clarknova.

          I am using port forward to my web hosting server.
          I retired all ports I needed to my server and is working when I tried from outside but … when I tried from inside my web pfsense from my default gateway pops up. So... I am not able to browse my inside website.

          firewall rule LAN any to any

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            Edydh, unless your problem is exactly the same as the one already discussed you should always start a fresh thread.

            In your case, please search for NAT reflection and start a fresh thread if you have further problems, to avoid your unrelated problem and CeilingKitten's problems being confused.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.