How to setup DMZ without Natting?

inorx · Dec 17, 2006, 7:58 PM

Hi all

i have a little problem to configure pfsense to work the way i would like it to.

I have the following setup:

WAN - public static address 62.167.235.xxx/32
DMZ - public static address range 62.167.233.xxx/29 which is routed to 62.167.235.xx
LAN - private address range 192.168.1.0/24

I didn't add any rules for NAT or static routes.

Now, when i try to access the internet from within the DMZ, i can see, that the request get's NATed to the WAN address. That's the problem. I would like to have the DMZ address just routed from and to the WAN port but no NATting, since it's not needed, because the DMZ addresses are public addresses.

What would i have to do? Setting "advanced outbound nat"? And then adding a rule for the LAN natting? Something like 192.168.4.0/LAN -> 62.167.233.xxx/WAN? Any additional configuration for the DMZ routing or is setting advanced outbound nat already enough to get the routing correctly?

Thanks a lot for your help!

Frank

[edit]
A little bit offtopic, but i have two more short questions:

is there anything like a h323 agent module for pfsense? I mean, a module that can inspect h323 traffic to check which ports for h225/q931 callsignalling and rtp have been negotiated and than dynamically opens this ports?
is there anything like an ethereal/wireshark module that allows to sniff/decode traffic on the various firewall interfaces?

[/edit]

hoba · Dec 17, 2006, 9:14 PM

You are right. Just enable advanced outbound NAT. It will create the NAT rule you need for the LAN segment automatically.

You might need to perform a state reset to drop the already open connections from the DMZ that are still natted (diagnostics>states, reset states).

There is/was a siproxd package that is able to help sip sessions through the nat (it's broken atm).

yoda715 · Dec 18, 2006, 12:34 AM

@inorx:

is there anything like an ethereal/wireshark module that allows to sniff/decode traffic on the various firewall interfaces?

Eventually, yes. I am working on that right now.

inorx · Jan 4, 2007, 4:33 PM

@hoba:

You are right. Just enable advanced outbound NAT. It will create the NAT rule you need for the LAN segment automatically.

You might need to perform a state reset to drop the already open connections from the DMZ that are still natted (diagnostics>states, reset states).

There is/was a siproxd package that is able to help sip sessions through the nat (it's broken atm).

First thanx a lot for your answer. I got the initial issue solved in t the meatime - it's working like charm.

Regarding the voip question - sip proxy for natting sure would be a nice thing. Unfortunately im more into h323 (yeah, it's still alive!). I guess there are no plans for building a h323 agent (i could support regarding how the protocol is working especially how ports are negotiated during h25/h245/q931).
And - for both, sip and h323, the "firewall agent" that dynamically opens the needed ports for call signalling and media wouldn't only be usefull for NATed clients but also for clients in a DMZ.

inorx · Jan 4, 2007, 4:34 PM

@sdale:

@inorx:

is there anything like an ethereal/wireshark module that allows to sniff/decode traffic on the various firewall interfaces?

Eventually, yes. I am working on that right now.

Very nice. That's going to be very usefull!
Are you integrating a known sniffer (like wireshark) or are you implementing something new?

yoda715 · Jan 8, 2007, 12:22 AM

It's actually a feature already built in to FreeBSD called tcpdump, I'm just creating the gui for it.