DMZ: different Servers / different external IPs



  • dear community,
    replacing my good old IPCop sigh wich a new firewall i have a question, my wordings can be bad because i'm used to Cop still and i'm totally new to pfSense and this is definitely another liga.

    in my DMZ there are 3 Servers: 10.10.0.1, 10.10.0.2 and 10.10.0.3.
    I have 5 static external IPs from my provider, i call them x.y.z.1 - x.y.z.5
    Now - for example - i want 10.10.0.1 seen as x.y.z.3 from outside and 10.10.0.2 and 10.10.0.3 as z.y.z.5

    I made aliases for all (the servers as well as the external IPs).

    Now how does that work wich pfSense? Do i need a 1:1 NAT? An Outbound NAT?
    :-)
    thx for your help.



  • maybe my description sounded too complicated, basically its simply a SNAT question.
    the servers are reached over port-forwarding of course, so multiple port 80s go to different servers in my DMZ.

    now i want some servers in my DMZ use specific static WAN IPs to go outside. thats the question above.



  • You should be able to use Outbound NAT for that - switch to Manual Outbound NAT and add rules on WAN for traffic from a particular server IP/s to be NAT'd to the public IP that you want it to be. The rules are processed top-down, so you will need to put your specific rules before the more general ones that NAT whole subnets to WAN IP.



  • If it's a DMZ server I would just use 1:1 NAT for those servers. then all traffic destined for x.y.z.1 would go to 10.10.0.1. outbound NAT requires a lot more rules and settings and is port specific and such. He said DMZ so to me that means all ports open and let the box's OS firewall take care of things.

    /esink



  • thanks for the answers. i'll choose the outbound NAT because i think the firewalls work should be done by the firewall ;)

    question:
    i made aliases for my static WAN IPs. do i need to tell pfSense somewhere that they belong to the WAN interface ???
    the WAN interface has IP like x.y.z.98, the rest are 99-102 (97 is my gateway which is in the WAN interface configuration)


Log in to reply