Single Incoming Physical WAN to LAN and DMZ



  • Hello Folks,

    I'm planning to build two 2.0.1 devices (Core i3, 4GB RAM!) utilizing CARP, with 4 NIC ports available in each.

    The question I have (which I searched and don't quite see answered) is how to take a single incoming address range from my co-lo provider, a /27, and split it to two NAT'd ranges on the back end – one LAN and one DMZ.

    Here is an example of the address spaces:

    Public: 72.16.1.x
    LAN: 192.168.2.x
    DMZ: 10.0.3.x

    I will need 1:1 NAT for most of the addresses in the DMZ, for a few in the LAN range, and I want to make sure the LAN and DMZ ranges are separated by a firewall. (Ideally, I can allow my devs to get to the DMZ zone servers via SSH while VPN'd into the LAN zone, but nothing can flow the other direction!)

    The caveat? I need to get this figured out and then order the hardware to arrive by Friday. Our current (Zywall USG300) firewalls are just crappy.

    We will be purchasing support for these once we are operational. If purchasing support tomorrow will garner a faster response, please IM/email me and let me know.



  • All can be done with carp + nat + firewall rules.

    Visit pfsense website to see how support works.



  • @marcelloc:

    All can be done with carp + nat + firewall rules.

    Visit pfsense website to see how support works.

    How about we talk it out here for future folks? No need for snarkiness.

    I attempted to purchase support (three times) several hours ago. I'm sure once Bank of America or the pfSense guys get their shit together, I'll be able to purchase it later today.

    FWIW, I'm sure it's BoA. I just dropped $3k on hardware.



  • What do you got working until now?

    What I undestood from your post was That your are planning to setup. That's why I told you that was possible.

    After you install both boxes, just post What you can't configure.



  • @marcelloc:

    What do you got working until now?

    What I undestood from your post was That your are planning to setup. That's why I told you that was possible.

    After you install both boxes, just post What you can't configure.

    No, how about we talk about what is possible? The hardware will be here Tuesday.

    We're currently running pfSense.

    I just spent $2k on pfSense hardware and I tried to spend $600 on official support. (Again, it's probably Bank of America freaking out.)

    So let's talk about what is possible.

    (Yep, it's BoA, not the pfSense guys.)

    Be right back. :)



  • To use carp you will need one real ip for each pfsense plus all others using carp.

    I suggest you to use one of your 4 ethernet ports to sync between boxes.
    A new feature on 2.x that will help on vip assigns is in this post from jimp
    http://forum.pfsense.org/index.php/topic,45209.msg240909.html#msg240909

    After sync and carp, just create your 1:1 nat on firewall -> nat and then change your outbound nat to manual to create your specific outgouing nat translation rules.

    By default, all interfaces but lan has no access to anywhere. You will need to change this default rule to deny access from lan to dmz.
    All other rules you can create on interface that traffic starts. If you want to allow internet access from a host on dmz, the rule will be on dmz. If you want to allow that everyone can reach your web server, then rule will be assigned on wan.


Log in to reply