Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Filtered bridge vs 1:1 NAT

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dennypageD
      dennypage
      last edited by

      Hello all,

      I'm looking for advice regarding choosing a Bridge or 1:1 NAT for a DMZ with pfSense.

      The address space from the ISP is 111.111.111.8/29 within  111.111.111.0/24.  In other words, I get addresses 8-15 within the class c network.  7 of the 8 address are in use.  The current deployment is using Shorewall running under Linux.

      The hosts in the DMZ are currently using public addresses (.9 through .14), and the firewall is using .8.  The WAN nic on the firewall is configured as 111.111.111.8/24 and the DMZ nic is configured as 111.111.111/32 (yes, same IP, different masks).  The hosts in the DMZ are presented to the WAN interface via ProxyArp.  Hosts in the DMZ need to be accessible both from the LAN and from inbound WAN.

      From brief reading and experimentation, it would appear this type of configuration is not an appropriate choice with pfSense.  The alternatives that appear to be available are moving the DMZ to private addresses (192.168.2.0/24) and use 1:1 NAT, or to configure the WAN and DMZ as a filtered bridge.

      Going the 1:1 NAT approach, I will have to re-IP the hosts in the DMZ.  This is painful, but doable.  I will also have to redo the internal dns maps for the DMZ.  Annoying, but minor.

      Going the bridging approach feels very much like the current ProxyArp approach, and allows me to avoid the re-IP.  However, most of the discussion I've read in the mailing lists seem to be rather negative on this approach.  Usually referring to LAN access (no longer an issue?) and to shaping problems (still an issue?).

      Is there a performance impact with either approach?

      I would appreciate any guidance that anyone can offer.

      Thanks,

      Denny

      1 Reply Last reply Reply Quote 0
      • H
        hadge
        last edited by

        I have the exact same situation.  How have things progressed for you?

        1 Reply Last reply Reply Quote 0
        • dennypageD
          dennypage
          last edited by

          For pfSense, I redid the IP addresses, moving the DMZ to a private net.  Trying to maintain the bridged net resulted in too many complications.

          In the end however, I ended up moving back to Linux as a base because FreeBSD does not support combining NAT and IPSEC.  I did however keep the DMZ as a private net.

          Denny

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.