Typical setup for webserver DMZ



  • I have currently multiple web/mail servers in DMZ, each with its own public IP (x.y.z.w). DMZ is added as OPT1 device on public x.y.z.w/28 subnet. WAN interface has another public IP in form a.b.c.d/32

    But problem is that when I do curl pfsense.org/ip.php from server in DMZ, I get IP from WAN interface (a.b.c.d), not public IP of server. Thats why mailserver has some problems, because some other servers refuses to accept mail from server, who's DNS does not resolve to its public IP (DNS resolve to public IP of server, but actual public IP is the one from WAN interface)

    I guess solution is to use Virtual IPs with 1:1 NAT or outbound NAT rules. But I am a bit confused how to properly do it.

    For outbound NAT, right now each server has only public IPs, so I guess I cannot make rule saying translate outbound IP x.y.z.w1 from DMZ to IP x.y.z.w1 on WAN interface.

    For VirtualIP, since those IPs are already used on servers and I have DMZ interface on x.y.z.w/28 subnet, I guess I cannot add those IPs also as Virtual IPs.

    So, what is proper way to setup DMZ? Should I have 10.0.0.0/8 local subnet on DMZ, and then use 1:1 NAT with virtual IPs or use outbound NAT rules? What is more common in practice? To me Virtual IPs looks much more like clean solution.

    Another problem is that webserver is running cpanel, and I guess it will have some problems if I assign local IP to server. Can I setup local IP 10.x.y.z on server and then add also public IPs (x.y.z.w1-4), or will this cause any problems with routing?




  • I doubt that your problem is pf related,

    If you are using DNS resolution for your outbound SMTP mail server, then you need to setup Reverse DNS (rDNS) on your public mail server IP (e.g. smtp.xyz.com). Most ISP's will do this if you write to them, however if you are running on private DSL line, they might not help you.

    As an alternative you can setup most mail servers to use a "smart host" to forward mails through, but you might face some mail size and other restrictions on smart-hosts.
    Typically your ISP usually have a smart-host available or you can use a commercial one.

    Hope it helps.



  • @sebadler:

    I doubt that your problem is pf related,

    If you are using DNS resolution for your outbound SMTP mail server, then you need to setup Reverse DNS (rDNS) on your public mail server IP (e.g. smtp.xyz.com). Most ISP's will do this if you write to them, however if you are running on private DSL line, they might not help you.

    As an alternative you can setup most mail servers to use a "smart host" to forward mails through, but you might face some mail size and other restrictions on smart-hosts.
    Typically your ISP usually have a smart-host available or you can use a commercial one.

    Hope it helps.

    I am quite sure it is pf related. I have reverse DNS set for all servers (nslookup a.b.c.d (gateway) resolves to gw.company.com, nslookup x.y.z.w1 (mailserver) resolves to smtp.company.com).

    I think 1:1 NAT is solution, but I am not sure how to setup it.



  • If your ISP is routing your public IP space to the /32 on the WAN, then you only need to disable NAT for the DMZ network. It sounds like you still have automatic outbound NAT on or still have the auto created rules.
    Switch outbound NAT to manual. It should create a default set of rules.
    Remove any rule that includes the DMZ subnet.
    Setup FW rules to allow traffic from WAN to DMZ. Do the same with your LAN (to allow access into the DMZ).
    You do not need 1:1 NAT or port forward to a routed set of public IP addresses.


Log in to reply