DMZ for a wireless host?



  • Hello,

    I know only one way of setting up DMZ in pfsense. Pretty much dedicate an interface and configure firewall rules on that interface…The problem that I am facing is that I need to configure DMZ for a wireless user on the same LAN as all my other hosts, so basicly I can't just start punching holes in firewall for entire subnet. I need to be able to isolate one wireless host and open ports for it.

    I know this sound sort of weird but it's for my portable console. I get NAT type 3 on it and not able to play some games online. Port forwarding is not really helping me so I wanted to add this host in its own DMZ.

    I guess if this is not possible I can just get another wireless router and connect is directly into one of the interfaces on pfsense box but I really don't want to go this route. Have anybody heard of a work around for this type of issue?

    Thank you.


  • Banned

    Yeah, so do it? Where's the problem? Or use VLAN?



  • @doktornotor:

    Yeah, so do it? Where's the problem? Or use VLAN?

    When you are referring to “do it”, you mean 1:1 NAT? I will try that but so far port forwarding didn't work at all.
    The problem is that I can't get it to work  :-.
    Can you elaborate on the Vlan portion?

    Thanks for the reply. :P


  • LAYER 8 Global Moderator

    "Port forwarding is not really helping me so I wanted to add this host in its own DMZ."

    Why is port forwarding not working?  Is your pfsense behind a NAT?  Most of the times there is an issue with port forwarding, you just didn't set it up correctly or they are behind a double nat.



  • Do LAN hosts already have incoming connections such as for Torrent? There is no point in a DMZ for the console if your other LAN hosts already receive incoming connections.

    To isolate a wireless host, your AP will need to support multiple SSIDs and vLAN trunking or you will need a dedicated AP on a vLAN. If you don't have a vLAN capable switch you can plug a the dedicated AP into a secondary interface on pfSense.

    There are other problems when connecting to online services such as Xbox Live. If you manually port forward, then only port 3074 is supported, which means only one console or PC can be online at a time. If you enable uPNP it uses different ports for each device.


  • LAYER 8 Global Moderator

    To the UPnP advice – yeah my son's ps3 I recall seeing something on one of the games he was playing about restrictive nat.. I didn't really want to spend a lot of time investigating all the ports required, etc.

    So just enabled UPnP for his ps3 IP only and let it do its thing and nat warnings went away on the device.



  • Then your network security has already failed. Just enable uPNP for your device.


  • LAYER 8 Global Moderator

    Who's network security failed?  Mine?  UPnP was enabled for ONLY the PS3 IP, and ONLY for ports to it's IP – while not a fan of UPnP in general..  Since the ps3 is on a isolated wlan segment anyway and it can only open ports to itself, I doubt its much of a security concern to be honest.



  • Oh nevermind. I thought you were the OP.


  • LAYER 8 Global Moderator

    What does who the OP have to do with your comment?  Do you believe opening up UPnP is a of security concern?

    If so - then why did you suggest it?
    " If you enable uPNP it uses different ports for each device."



  • Hey Guys,

    I personally consider UPnP a security concern but I don't really care about it in this scenario. Pfsense box is not behind the NAT. It is directly connected to the cable modem. Port forwarding is not working for me for some reason. The only way that I figured out how to make it work is to setup 1-1 NAT and open everything inbound…It works...I just disable it when I am done since it breaks my OPEN VPN. UPnP would have been my best choice if switch or host was directly connected to the Pfsense box. Unfortunately, my topology looks like this:

    wireless AP > switch > Cisco router > Meraki firewall (only does IDS/IPS) > Pfsense firewall.

    If I connect my PS3 directly into Pfsense and enable UPnP on that port everything works, but unfortunately PS VITA is wireless. I guess I can find a cheap wireless AP and run it in bridge mode. From there I can connect it directly to Pfsense and enable UPnP on that. Just don't get why port forwarding is not working....


  • LAYER 8 Global Moderator

    My sons ps3 is wireless and has no issues with UPnP..

    So what is your cisco router doing..  No nat?  So you have internal routing to different segments going on?  And your Meraki is in transparent bridge mode?  Or is layer 3 as well another segment?

    If 1:1 works, then your doing the forwards wrong or not the correct ports.



  • @johnpoz:

    What does who the OP have to do with your comment?  Do you believe opening up UPnP is a of security concern?

    If so - then why did you suggest it?
    " If you enable uPNP it uses different ports for each device."

    Because the OP wanted a DMZ. But if he had other LAN devices which also had port forwards, this made the DMZ pointless and he might as well enable uPNP on the LAN (and just for that particular console's IP address like you've done).



  • @johnpoz:

    My sons ps3 is wireless and has no issues with UPnP..

    So what is your cisco router doing..  No nat?  So you have internal routing to different segments going on?  And your Meraki is in transparent bridge mode?  Or is layer 3 as well another segment?

    If 1:1 works, then your doing the forwards wrong or not the correct ports.

    Cisco is there basicly for DHCP and nothing else. I removed it out of the mix last week and there was no changes on my network. I have to keep it in because my meraki firewall MX60 doesn't do DHCP in the bridge mode. Meraki AP is running in the bridge mode as well. I though that I might be doing port forwarding wrong but can't make it work. It appears UPnP working only if you have a host connected directly to the pfsense box. If I connect switch or AP (in bridge mode) to it UPnP works. Since I have cisco router and meraki firewall in between the host and pfsense, it seems like UPnP multicast messages are not reaching or not regestering on Pfsense box. 1 to 1 NAT definitely works with everything allowed inbound. I am gonna give port forwarding another try, but I couldn't make it work before…



  • If you have another router between pfSense and the hosts both port forwarding and uPNP are not going to work. If your other firewall is in bridged mode, you should be able to run DHCP directly on pfSense and remove the additional router.


  • LAYER 8 Global Moderator

    ^ took the words out of my mouth ;)

    But what does not make sense is that he says 1:1 nat is working - if that works, then however he is using that router or other firewall should have nothing to do with it.

    As to why he is not running dhcp on pfsense in the first place I have no idea..  Why would you put in "router" just to provide dhcp?  Could run that on any box or vm in the network if need be - but why when pfsense has a nice little gui to use for dhcp all ready to go, etc.

    If you ids/ips that is suppose to be transparent then something is wrong with its config, or your triggering a rule in your IPS, etc.  Or its not as transparent as you think it is ;)

    Do a simple sniff on your pfsense interface - are you seeing multicast/broadcast traffic?


Log in to reply