DMZ bridge, VIP or Proxy ARP?

  • Hello,

    As a newbie to pfsense I got a little confused trying to find the best way to setup a proper DMZ.
    On the Shorewall we use untill this very day (the PfSense box will be the replacement, the hardware was getting to old.) Proxy ARP tables to give all the machines behind the DMZ IF a public IP.  With the interface masquerading to the WAN IP address and a short but effective set of rules this works fine.
    Searching the fora for answers to set up a similar DMZ I found several other ways to Rome. So now I cannot decide what to choose. Some advise on this matter would be great.

    What we want is: A DMZ with in it our mail and a backup server which should both be reachable from the inside and the outside, and about five servers for streaming who should look mostly only to the outside.

    Questions are:
    If I bridge the DMZ IF to the WAN, do I still have to setup Proxy ARP tables or is it enough to give the machines behind the firewall their own public IP?
    If I use Proxy ARP do I need then to give the machines a corresponding IP or can I give them just a subnet IP and use port forwarding to reach them on the inside?
    Or should we use IP aliases.

    Any clear advise will be accepted with big thanks,


    firewall is as life: a puzzle.
    but at least there are answers to the firewall.

Log in to reply