Need Help Setting up DMZ or transparent firewall on 2.0RC



  • I've just finished setting up my firewall using the new 2.0RC and I'm not all that familiar with pfSense to begin with.  Everything is working as far as the network is concerned internally and to the web with the exception I need outside access to a web and ftp server on the inside of the firewall.  I've tried following the tutorials google has led me to but most don't apply to this release.  The set up is PFSense with 3 ports; one wan, one lan, and one to the the server(s).  The servers have public IP's and I can't figure out how to set the firewall up to let them pass through, any help would be appreciated.
    -Josh



  • For access from WAN interface to a system on LAN or OPT1 interface, from pfSense web GUI: Firewall -> NAT click on Port Forward, add rule (click on "+") Interface=WAN, Protocol=TCP, Source leave unchanged, Destination=WAN Address, Destination port range: from=80, to=80, Redirect target IP = IP address of web server, Redirect target port=80

    This rule will forward packets arriving on the WAN interface specifying a destination IP address of your WAN interface and a destination port of 80 (HTTP) to the "NAT IP" server, port 80.



  • If servers in your DMZ need to initiate connections to systems on the Internet or LAN, in web GUI: Firewall -> Rules click on appropriate tab and add rules to allow the access your require to the Internet and LAN.

    By default OPTx interfaces have all accesses blocked, LAN has all access enabled.

    Firewall rules for an interface are processed top down and when a packet matches a rule no further matching is attempted.



  • I don't want to do a port forwarding nat, or 1:1 nat because I want the public IP's available to the outside interface.  Also the the port 80 (web) requests need to be routed to 2 different servers so port forwarding wouldn't be able to work either.  I understand the firewall rules, but I don't actually have the port set up as a DMZ port, that's the part I can't figure out.  And yes it's the OPT1 port that will be acting as the DMZ if I can, it's enabled and unblocked but that's about as far as I can get it.



  • Sorry, I'm finding it difficult to understand your requirements. In particular:
    @tumanator:

    I don't want to do a port forwarding nat, or 1:1 nat because I want the public IP's available to the outside interface.

    You have a block of public IP addresses? You want the WAN interface to have multiple IP addresses? You want the DMZ hosts to have public IP addreses?

    @tumanator:

    Also the the port 80 (web) requests need to be routed to 2 different servers so port forwarding wouldn't be able to work either.

    Well what information are you expecting the pfSense box to use to route the web requests? Do you want some form of http load balancing?

    @tumanator:

    but I don't actually have the port set up as a DMZ port, that's the part I can't figure out.

    I don't understand what you mean by this. Are you looking for a single setting to say a port interfaces to a DMZ? If so, there isn't one I know of.



  • Sorry I can see where what I've said is confusing, honestly I'm just not sure yet what I'm trying to do myself.  Basically I have 3 public IP addresses, x.x.x.29, 55, 56 so their not contiguous.  Without getting a block of my own I don't see how this will work behind a firewall but my ISP believes it's possible with PFsense, what I know of routing I'm skeptical but I'd like to get everything behind a firewall.  What I guess i need is the PFSense to essentially bridge the OPT1 interface with the WAN interface and allow the servers access through the firewall without Routing it.



  • @tumanator:

    honestly I'm just not sure yet what I'm trying to do myself.

    Until you work that out (and why you want to do what you decided) why not run a configuration with just one public IP on the WAN side, private IP addresses on LAN and OPT1 and port forwarding through the firewall? This would give you some experience with pfSense and that may help you decide what you really want to do.


Log in to reply