Routing between LAN and bridged DMZ

  • Hi,

    Another question, still searched for hours without any solutions. I have a dual WAN pfSense 2.0.1 with LAN and DMZ.

                  +--- ISP1 Modem --- ISP1 Router ---- WAN  (WAN_ISP1) --+
                  |                   (69.XX.XXX.97)                     |
    Internet -----|                                                      |-- pfSense >
                  |                                                      |
                  +--- ISP2 Modem --- ISP2 Router ---- OPT1 (WAN_ISP2) --+
                  +--- LAN  (LAN)  ---- Switch --- Multiple computers behind NAT, DHCP
                  |    (
    > pfSense +
                  +--- OPT2 (DMZ)  ---- Switch -+- Server 1 (69.XX.XXX.98, 66.XXX.XXX.57, 66.XXX.XXX.58,...)
                                                +- Server 2 (69.XX.XXX.99,...)

    Note : WAN_ISP2 and DMZ are bridged, for the moment I don't need IPs from ISP1 so I'll bridge the other WAN later!

    Now everything works except I can't figure out how to access for example http://66.XXX.XXX.58 from LAN. For sure I can't use NAT reflexion as before, looks like I have to add some kind of routing rule.

    Anyone can give me a part of solution?

    Thank you!

  • What IP's are configured on the interfaces WAN_ISP2 and DMZ ? What IP is configured on the bridge itself?

    I would assign the bridge as interface, set WAN_ISP2 and DMZ to 'none' and configure the public IP 66.XXX.XXX.57 on the bridge itself.
    Now it should be a simple routed setup.

  • Hi,

    Here is a screenshot :

    Note ISP1 is VIDEOTRON and ISP2 is B2B2C, they are both STATIC. The BRIDGE0 has no interface assigned. If I understand you I need to :

    • Remove WAN_B2B2C
    • Link BRIDGE0 to em1
    • Assign static IP to em1 (BRIDGE0)

    And that's all?!

  • Not remove, but configure the IP to 'none'

  • I've done these changes :

    • WAN_B2B2C Type : none
    • DMZ Type was already none
    • Added interface OPT3 with Network port BRIDGE0
    • Moved the gateway from WAN_B2B2C to OPT3
    • Configured static 66.XX.XX.58/29 to OPT3 with the previous gateway (66.XX.XX.57)
    • Created a temporary rule in OPT3 allow all

    Now the HTTP server can't be reach from Internet as it was just before (of course I got a backup before just in case!)

    Something is wrong or am I missing something?

    Thank you.

    ![ - Interfaces- Assign network ports new.png](/public/imported_attachments/1/ - Interfaces- Assign network ports new.png)
    ![ - Interfaces- Assign network ports new.png_thumb](/public/imported_attachments/1/ - Interfaces- Assign network ports new.png_thumb)

  • Are there rules on WAN_B2B2C to allow access to the DMZ? (maybe start with an allow any-any rule to debug)
    Do the servers behind the bridge actually have the upstream router (66.XXX.XXX.56) as default gateway?

  • Hi,

    I'll setup a virtual pfSense with virtual computers since it is difficult to test on a production router! I'll be back in couple of days with a setup for tests!

    Thank you,


  • Hi,

    Based on this't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F I've used a different approch I manually added these configs :

    route add -host 66.XX.XX.60 netmask fxp0
    route add -host 66.XX.XX.61 netmask fxp0
    route add -host 66.XX.XX.62 netmask fxp0

    In my case fxp0 is the DMZ interface of course. Just bad I've not found a "clean" solution. I've used this method because I want to keep the firewall filtering between internet and the DMZ while using public IP locally!

    Thank you!

  • Hello,
    i try to set route but not have success.

    route add -host x.x.x.x netmask em2 (my DMZ interface).
    The DMZ (noip) iface is bridged with external iface (noip).

    The pfsense answer is:
    route: writing to routing socket: Network is unreachable
    add net x.x.x.x : gateway netmask: Network is unreachable

    Can you help me?
    Thank you

Log in to reply