Since there is no DMZ, can I open ports 0-65000 to single local IP?

  • Hi everyone,

    I want to mimic an ISP modem (don't manage the firewall for a single IP). I want the user to be able to connect their own router to pfSense and then set their own firewall on that specific router. I am planning to do not do any NAT forwarding for that specific LOCAL IP that is assigned to the second user router but in Firewall simply allow ports 0-65000 to that local IP.

    Is that an all right thing and would it work? so every packet will hit the local IP, right?
    Also, would the range 0-65000 be problematic to any services?


  • Not 0-65000 but 1-65535
    But yes this should work.

    You might want to configure your own manual outbound NAT rules and set it so, that outbound connections from this client wont be scrambled.

  • Thanks for the info.

    How would the outbound be effected when we set inbound? Outbound is set to Automatic right now.

    Also by allowing this we are simply creating a DMZ (in the sense known in commercially available routers) and firewall allows packets to reach the DMZ client if it wants to accept it or not.

    I mean I can have multiple DMZ in this scenario and not worry.

    Am I right with all assumptions above?


  • Rebel Alliance Developer Netgate

    Why forward that many ports? Just use 1:1 NAT.

    In 2.0 you can do 1:1 NAT even on the WAN IP.

    (And really, that is not a DMZ, no matter what low-grade commercial routers like to call it, exposing a host on your LAN fully to the Internet is not a DMZ, a DMZ has proper segmentation protecting your LAN from the server as well)

  • Thanks jimp.

    So, I can set multiple clients in 1:1 NAT while I have a single WAN IP address?


  • Rebel Alliance Developer Netgate

    No, you need one external IP address for each internal client.

    You can't forward the same port to multiple clients either - same restriction.

    No router can do that.

  • Well, I am not forwarding. I mean I don't want NAT forwarding. I want the ports to be open (I guess it's still called forwarding?!). Could I make pfSense act like a dumb switch and send the packets for port 80 send to all clients on the LAN? That is my idea of the DMZ.

    Of course I will have only one HTTP server on one of my clients. But I may rotate the HTTP server from client to client from time to time and that is why I want that all the port 80 HTTP requests hit all of my clients and allow my clients to decide to accept it or reject it.

    Thanks again

  • Rebel Alliance Developer Netgate

    If there is NAT involved anywhere, you must use port forwards or 1:1, that is the only way to "open" them.

    The only way around that is if every internal client has a routable IP address and there is no NAT being done. Then it's just a matter of passing the traffic in with firewall rules.

    If you only have one external IP, you can only map one port on that external IP to one port on one internal machine.

    You can't just open it up to everything in the way you are describing, nothing can. There is no way to tell which internal machine a request should be forwarded to in that way.

    (With the possible exception of reverse proxies directing to multiple http servers based on the host header of the inbound request, and/or port forwards that are conditional based on the source address of a connecting client)

Log in to reply