HOWTO or EXAMPLE? - Public IPs in DMZ along with NAT in LAN



  • I thought I would set up a DMZ as I am hosting a number of servers now.  After looking at five software firewalls, I have decided to give PFSense a go.

    Is there a HOWTO or Example config on setting up a DMZ with public IPs, while running NAT on the LAN?   I would like for the LAN machines to be able to access some of the services on the DMZ as well, so there has to be communication between the two zones.

    After this is set up and running, I will probably set up a third zone for wireless, but we'll take this a step at a time!  ;)

    TIA



  • No tutorial for pfsense just now, but pfsense is based on m0n0 , and there is a good howto there http://doc.m0n0.ch/handbook/examples-filtered-bridge.html



  • @sai:

    No tutorial for pfsense just now, but pfsense is based on m0n0 , and there is a good howto there http://doc.m0n0.ch/handbook/examples-filtered-bridge.html

    :o Interesting! :o  According to this document, what I want to do is not possible.  It states: Remember you cannot access hosts on a bridged interface from a NAT'ed interface, so if you do have a LAN interface set up, you won't be able to access the hosts on the bridged interface from the LAN. If I understand this correctly, then what I want to do is not possible:

    LAN - Private IPs (NAT) - Clients and workstations
    DMZ - Routed IPs - Servers

    But the clients and workstations in the LAN won't be able to access the servers in the DMZ?  Am I understanding this correctly, or am I confused?!?

    Thanks for your help! :)



  • wan(nat)
           |
       pfsense
        /     
      /         
    lan      dmz(public ip's (vip) )



  • @jeroen234:

    wan(nat)
          |
      pfsense
        /   
      /       
    lan        dmz

    This is what I want to do.  I have a /28 from my ISP and I want to use the public IPs in the DMZ for my servers, but I want to run NAT and private IPs on my LAN.

    wan(publicip)
          |
      pfsense
        /   
      /       
    lan        dmz
    (nat)    (public ip)

    But I want the client machines in the lan to be able to access the servers in the DMZ.  If I understand this document correctly, I can't do that with this configuration and pfsense.

    If I can't, then should I do 1 to 1 NAT in the DMZ, mapping public ips to my servers and then if I have done this can my lan machines now access the servers in the DMZ?

    Thanks for the help!



  • nat will be done on all interfaces that have a gateway set so that will be youre wan interface

    the /28 ip's you enter on pfsense on the vip tab and pair them with a pc on youre dmz
    pfsense will then send all reqeust for that ip to that pc
    to make it work from the lan to you need to turn on natreflection
    and give the lansubnet access to the dmzsubnet



  • @jeroen234:

    nat will be done on all interfaces that have a gateway set so that will be youre wan interface

    the /28 ip's you enter on pfsense on the vip tab and pair them with a pc on youre dmz
    pfsense will then send all reqeust for that ip to that pc
    to make it work from the lan to you need to turn on natreflection
    and give the lansubnet access to the dmzsubnet

    Ok… very helpful! Is VIP a feature unique to PFSense?  I haven't found anything on this in the m0n0wall docs.



  • m0n0wall has proxyarp too and something called "server nat".  It's different from m0n0 and pfSense has more types of VIPs.



  • @hoba:

    m0n0wall has proxyarp too and something called "server nat".  It's different from m0n0 and pfSense has more types of VIPs.

    OK.  I do remember reading about server nat in m0n0wall.  Is there anything on VIPs on the PFsense wiki/documentation?  I have searched around and not found anything yet.

    Thanks to everyone for their help!  :D



  • @hoba:

    m0n0wall has proxyarp too and something called "server nat".  It's different from m0n0 and pfSense has more types of VIPs.

    Quick update… I got it running this weekend.  Thanks everyone!  PFsense rocks.  Now I just hope the bounty for content filtering is fulfilled as that is the only thing lacking that I can think of!


Log in to reply