• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HOWTO or EXAMPLE? - Public IPs in DMZ along with NAT in LAN

Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
10 Posts 4 Posters 4.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    doc_holiday
    last edited by Jan 13, 2007, 12:48 PM

    I thought I would set up a DMZ as I am hosting a number of servers now.  After looking at five software firewalls, I have decided to give PFSense a go.

    Is there a HOWTO or Example config on setting up a DMZ with public IPs, while running NAT on the LAN?   I would like for the LAN machines to be able to access some of the services on the DMZ as well, so there has to be communication between the two zones.

    After this is set up and running, I will probably set up a third zone for wireless, but we'll take this a step at a time!  ;)

    TIA

    1 Reply Last reply Reply Quote 0
    • S
      sai
      last edited by Jan 13, 2007, 5:29 PM

      No tutorial for pfsense just now, but pfsense is based on m0n0 , and there is a good howto there http://doc.m0n0.ch/handbook/examples-filtered-bridge.html

      1 Reply Last reply Reply Quote 0
      • D
        doc_holiday
        last edited by Jan 13, 2007, 6:06 PM

        @sai:

        No tutorial for pfsense just now, but pfsense is based on m0n0 , and there is a good howto there http://doc.m0n0.ch/handbook/examples-filtered-bridge.html

        :o Interesting! :o  According to this document, what I want to do is not possible.  It states: Remember you cannot access hosts on a bridged interface from a NAT'ed interface, so if you do have a LAN interface set up, you won't be able to access the hosts on the bridged interface from the LAN. If I understand this correctly, then what I want to do is not possible:

        LAN - Private IPs (NAT) - Clients and workstations
        DMZ - Routed IPs - Servers

        But the clients and workstations in the LAN won't be able to access the servers in the DMZ?  Am I understanding this correctly, or am I confused?!?

        Thanks for your help! :)

        1 Reply Last reply Reply Quote 0
        • J
          jeroen234
          last edited by Jan 13, 2007, 6:14 PM Jan 13, 2007, 6:11 PM

          wan(nat)
                 |
             pfsense
              /     
            /         
          lan      dmz(public ip's (vip) )

          1 Reply Last reply Reply Quote 0
          • D
            doc_holiday
            last edited by Jan 13, 2007, 6:16 PM

            @jeroen234:

            wan(nat)
                  |
              pfsense
                /   
              /       
            lan        dmz

            This is what I want to do.  I have a /28 from my ISP and I want to use the public IPs in the DMZ for my servers, but I want to run NAT and private IPs on my LAN.

            wan(publicip)
                  |
              pfsense
                /   
              /       
            lan        dmz
            (nat)    (public ip)

            But I want the client machines in the lan to be able to access the servers in the DMZ.  If I understand this document correctly, I can't do that with this configuration and pfsense.

            If I can't, then should I do 1 to 1 NAT in the DMZ, mapping public ips to my servers and then if I have done this can my lan machines now access the servers in the DMZ?

            Thanks for the help!

            1 Reply Last reply Reply Quote 0
            • J
              jeroen234
              last edited by Jan 13, 2007, 6:26 PM

              nat will be done on all interfaces that have a gateway set so that will be youre wan interface

              the /28 ip's you enter on pfsense on the vip tab and pair them with a pc on youre dmz
              pfsense will then send all reqeust for that ip to that pc
              to make it work from the lan to you need to turn on natreflection
              and give the lansubnet access to the dmzsubnet

              1 Reply Last reply Reply Quote 0
              • D
                doc_holiday
                last edited by Jan 13, 2007, 8:15 PM Jan 13, 2007, 8:11 PM

                @jeroen234:

                nat will be done on all interfaces that have a gateway set so that will be youre wan interface

                the /28 ip's you enter on pfsense on the vip tab and pair them with a pc on youre dmz
                pfsense will then send all reqeust for that ip to that pc
                to make it work from the lan to you need to turn on natreflection
                and give the lansubnet access to the dmzsubnet

                Ok… very helpful! Is VIP a feature unique to PFSense?  I haven't found anything on this in the m0n0wall docs.

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by Jan 13, 2007, 8:32 PM

                  m0n0wall has proxyarp too and something called "server nat".  It's different from m0n0 and pfSense has more types of VIPs.

                  1 Reply Last reply Reply Quote 0
                  • D
                    doc_holiday
                    last edited by Jan 13, 2007, 8:46 PM

                    @hoba:

                    m0n0wall has proxyarp too and something called "server nat".  It's different from m0n0 and pfSense has more types of VIPs.

                    OK.  I do remember reading about server nat in m0n0wall.  Is there anything on VIPs on the PFsense wiki/documentation?  I have searched around and not found anything yet.

                    Thanks to everyone for their help!  :D

                    1 Reply Last reply Reply Quote 0
                    • D
                      doc_holiday
                      last edited by Feb 5, 2007, 7:34 AM

                      @hoba:

                      m0n0wall has proxyarp too and something called "server nat".  It's different from m0n0 and pfSense has more types of VIPs.

                      Quick update… I got it running this weekend.  Thanks everyone!  PFsense rocks.  Now I just hope the bounty for content filtering is fulfilled as that is the only thing lacking that I can think of!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        [[user:consent.lead]]
                        [[user:consent.not_received]]