WAN / DMZ both with public IP's and different subnets



  • Is it possible to do the following deployment:

    WAN - Connected to the internet with IP address (W) on subnet (A)/30
    DMZ - Connected to the internet with IP address (D) on subnet (B)/26

    My ISP has basically assigned a WAN IP with an IP address and subnet different than the block of IP addresses given to me to use for my servers.  I would then assign IP addresses from subnet (B) to my servers.  I basically want the traffic routed without NAT yet all the functionality of firewall and filtering between the WAN and DMZ.

    I searched the forums and found "bridging" and "transparent" modes but don't think they apply to me.  Bridging sounds like just traffic pass-through between ports and transparent mode seems to just be the same subnet on both interfaces with the firewall in the middle.  Am I mistaken?

    The only other solution I can think of is to do a 1:1 NAT and assign subnet (B) as an alias on the WAN.

    Can someone tell me if I am heading in the right direction?

    Thanks



  • IMO assigning the /26 as ProxyARP aliases on WAN is the more secure method. You can setup pfSense to be a filtering bridge. I have done this in openbsd but not yet in pfSense. The concept is the same though. I have heard there is documentation in docs.pfsense.org on creating a filtering bridge.



  • I looked at bridge filtering too and found a bunch of articles.  What I don't really understand is the difference between bridging 2 interfaces, in my case the WAN and DMZ versus creating a an outbound mapping with "Do Not NAT"



  • @kmanango:

    I looked at bridge filtering too and found a bunch of articles.  What I don't really understand is the difference between bridging 2 interfaces, in my case the WAN and DMZ versus creating a an outbound mapping with "Do Not NAT"

    The main difference is that the servers get a live internet IP and you don't have to worry about NAT reflection. Bridging or transparent firewall I have heard is more secure. It all depends on what you are comfortable with.



  • Thanks.  I got everything up and running on 2.0 and is working great.  I actually looked at a lot of other product and the only way was to do a 1:1 NAT which requires a double set of IP's for each server which is an administrative pain.

    I know I have seen many others ask how to do this and I thought I would share it.  Here's my network diagram:

    Internet
          |
        ISP
          |
    PfSense
          |
        / 
    LAN  DMZ

    I basically have 3 networks:

    1/ N1 - Public /30 address (WAN)
    2/ N2 - Public /26 address (DMZ)
    3/ N3 - Internal LAN (10.X.X.X) address (LAN)

    My requirement is that I want N2 to be filtered by PF and that all traffic going in and out can be filtered.  Note that I am assigning IP's from N2 directly to each server.  Here's how I setup PF:

    1/ Configure 3 interfaces: WAN, LAN, DMZ
    2/ Specify an IP address from each network to their respective interfaces
    3/ Under Interfaces->(assign)->Bridges, create a new bridge with WAN and DMZ.  This will route the traffic as is between the networks and not be a NAT relationship
    4/ Under Firewall->NAT->Outbound select manual and delete all rules

    That is basically it.  EVerything will route properly now.  The only thing left is to create inbound and outbound rules.  To create an outbound rule, under Firewall->Rules->DMZ, create a new rule for your server to the internet.  Here's an example setting for outbound HTTP:

    Action: Pass
    Interface: DMZ
    Protocol: TCP
    Source: Single IP and specify the N2 IP assigned directly to the server
    Source port range: any/any
    Destination: any
    Destination port range: 80/80

    This will basically allow any server connected to the DMZ interface to access port 80 on any network.  To create an inbound rule, under Filrewall->Rules->WAN, create a new rule for inbound traffic from the internet to your server:

    Action: Pass
    Interface: DMZ
    Protocol: TCP
    Source: any
    Source port range: any/any
    Destination: Single IP and specify the N2 IP assigned directly to the server (same as the outbound rule)
    Destination port range: 80/80

    This will allow any IP computer connected to the WAN (basically the internet) to connect to port 80 for the server.

    I actually verified with port scans that this was the only port open and broadcasting.  I hope others find this useful as I didn't see any exact instructions (most were "setup a bridge" or outdated) within the forums.

    Final note is that you will see I am connected to the LAN but no rules.  This is because I only use the LAN to administer PF.  You are more than free to create port forwards to your LAN but this isn't something I am doing with what I am trying to accomplish.


Log in to reply