Filtered bridge vs 1:1 NAT

  • Hello all,

    I'm looking for advice regarding choosing a Bridge or 1:1 NAT for a DMZ with pfSense.

    The address space from the ISP is within  In other words, I get addresses 8-15 within the class c network.  7 of the 8 address are in use.  The current deployment is using Shorewall running under Linux.

    The hosts in the DMZ are currently using public addresses (.9 through .14), and the firewall is using .8.  The WAN nic on the firewall is configured as and the DMZ nic is configured as 111.111.111/32 (yes, same IP, different masks).  The hosts in the DMZ are presented to the WAN interface via ProxyArp.  Hosts in the DMZ need to be accessible both from the LAN and from inbound WAN.

    From brief reading and experimentation, it would appear this type of configuration is not an appropriate choice with pfSense.  The alternatives that appear to be available are moving the DMZ to private addresses ( and use 1:1 NAT, or to configure the WAN and DMZ as a filtered bridge.

    Going the 1:1 NAT approach, I will have to re-IP the hosts in the DMZ.  This is painful, but doable.  I will also have to redo the internal dns maps for the DMZ.  Annoying, but minor.

    Going the bridging approach feels very much like the current ProxyArp approach, and allows me to avoid the re-IP.  However, most of the discussion I've read in the mailing lists seem to be rather negative on this approach.  Usually referring to LAN access (no longer an issue?) and to shaping problems (still an issue?).

    Is there a performance impact with either approach?

    I would appreciate any guidance that anyone can offer.



  • I have the exact same situation.  How have things progressed for you?

  • For pfSense, I redid the IP addresses, moving the DMZ to a private net.  Trying to maintain the bridged net resulted in too many complications.

    In the end however, I ended up moving back to Linux as a base because FreeBSD does not support combining NAT and IPSEC.  I did however keep the DMZ as a private net.


Log in to reply