Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    WAN / DMZ both with public IP's and different subnets

    Firewalling
    2
    5
    8338
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kmanango last edited by

      Is it possible to do the following deployment:

      WAN - Connected to the internet with IP address (W) on subnet (A)/30
      DMZ - Connected to the internet with IP address (D) on subnet (B)/26

      My ISP has basically assigned a WAN IP with an IP address and subnet different than the block of IP addresses given to me to use for my servers.  I would then assign IP addresses from subnet (B) to my servers.  I basically want the traffic routed without NAT yet all the functionality of firewall and filtering between the WAN and DMZ.

      I searched the forums and found "bridging" and "transparent" modes but don't think they apply to me.  Bridging sounds like just traffic pass-through between ports and transparent mode seems to just be the same subnet on both interfaces with the firewall in the middle.  Am I mistaken?

      The only other solution I can think of is to do a 1:1 NAT and assign subnet (B) as an alias on the WAN.

      Can someone tell me if I am heading in the right direction?

      Thanks

      1 Reply Last reply Reply Quote 0
      • P
        podilarius last edited by

        IMO assigning the /26 as ProxyARP aliases on WAN is the more secure method. You can setup pfSense to be a filtering bridge. I have done this in openbsd but not yet in pfSense. The concept is the same though. I have heard there is documentation in docs.pfsense.org on creating a filtering bridge.

        1 Reply Last reply Reply Quote 0
        • K
          kmanango last edited by

          I looked at bridge filtering too and found a bunch of articles.  What I don't really understand is the difference between bridging 2 interfaces, in my case the WAN and DMZ versus creating a an outbound mapping with "Do Not NAT"

          1 Reply Last reply Reply Quote 0
          • P
            podilarius last edited by

            @kmanango:

            I looked at bridge filtering too and found a bunch of articles.  What I don't really understand is the difference between bridging 2 interfaces, in my case the WAN and DMZ versus creating a an outbound mapping with "Do Not NAT"

            The main difference is that the servers get a live internet IP and you don't have to worry about NAT reflection. Bridging or transparent firewall I have heard is more secure. It all depends on what you are comfortable with.

            1 Reply Last reply Reply Quote 0
            • K
              kmanango last edited by

              Thanks.  I got everything up and running on 2.0 and is working great.  I actually looked at a lot of other product and the only way was to do a 1:1 NAT which requires a double set of IP's for each server which is an administrative pain.

              I know I have seen many others ask how to do this and I thought I would share it.  Here's my network diagram:

              Internet
                    |
                  ISP
                    |
              PfSense
                    |
                  / 
              LAN  DMZ

              I basically have 3 networks:

              1/ N1 - Public /30 address (WAN)
              2/ N2 - Public /26 address (DMZ)
              3/ N3 - Internal LAN (10.X.X.X) address (LAN)

              My requirement is that I want N2 to be filtered by PF and that all traffic going in and out can be filtered.  Note that I am assigning IP's from N2 directly to each server.  Here's how I setup PF:

              1/ Configure 3 interfaces: WAN, LAN, DMZ
              2/ Specify an IP address from each network to their respective interfaces
              3/ Under Interfaces->(assign)->Bridges, create a new bridge with WAN and DMZ.  This will route the traffic as is between the networks and not be a NAT relationship
              4/ Under Firewall->NAT->Outbound select manual and delete all rules

              That is basically it.  EVerything will route properly now.  The only thing left is to create inbound and outbound rules.  To create an outbound rule, under Firewall->Rules->DMZ, create a new rule for your server to the internet.  Here's an example setting for outbound HTTP:

              Action: Pass
              Interface: DMZ
              Protocol: TCP
              Source: Single IP and specify the N2 IP assigned directly to the server
              Source port range: any/any
              Destination: any
              Destination port range: 80/80

              This will basically allow any server connected to the DMZ interface to access port 80 on any network.  To create an inbound rule, under Filrewall->Rules->WAN, create a new rule for inbound traffic from the internet to your server:

              Action: Pass
              Interface: DMZ
              Protocol: TCP
              Source: any
              Source port range: any/any
              Destination: Single IP and specify the N2 IP assigned directly to the server (same as the outbound rule)
              Destination port range: 80/80

              This will allow any IP computer connected to the WAN (basically the internet) to connect to port 80 for the server.

              I actually verified with port scans that this was the only port open and broadcasting.  I hope others find this useful as I didn't see any exact instructions (most were "setup a bridge" or outdated) within the forums.

              Final note is that you will see I am connected to the LAN but no rules.  This is because I only use the LAN to administer PF.  You are more than free to create port forwards to your LAN but this isn't something I am doing with what I am trying to accomplish.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post