DMZ question



  • Hi all,

    I have a short question:
    On a new install i must use WAN, LAN and DMZ interface.
    On the DMZ zone I need to have an External IP Like (82.x.x.x) on the WAN one for a mail server+web+dns
    The question is : what IP address should I use on the DMZ interface configuration in ClearOS ?
    Can i use external ip in the DMZ zone even if i configure dmz network like 192.168.x.x ?

    Thank you



  • If u like to use internal ips you have to use a internal ip for the if. Then NAT setup



  • Ok thanks for the asnwer.
    So if i do this:
    dmz ip interface : 82.x.x.x the one i have for the mail/web/dns/server then the machine in the zone will have internal ip and NAT all trafic from DMZ ip (the one registered as ns1 for MX and A records ) to the internal one.

    Am I wrong?



  • Why do you want to allow traffic (all) from DMZ to LAN???

    If you do this you also can put your Mailserver inside LAN and make some port forwarding there….

    Imho a DMZ should isolate the hosts which are reachable (speak possibly hackable) from the outside from the LAN where you have often unprotected/uncontrolled systems.....
    If yomebody enters one of your DMZ hosts he would be inside your LAN with your configuration idea

    Im doing it like this:

    WAN -NAT-> DMZ  (only ports and hosts open which are necessary)

    Outgoing rules for DMZ also just the necessary ones

    LAN -> DMZ (here you can use a * * rule, like LAN->WAN)

    *remember the target DMZ address in the rules is always the internal one...

    so 82.x.x.100 = 192.168.x.100 which means you need a WAN rule with source * and destination 192.168.x.100 (+ports)

    And if you need some services on the Servers  to push information you can add restrictive DMZ->LAN rules



  • Hi,
    thanks for the answer.
    @ the moment my mail/web/webmail/ftp server has external ip and nothing in front in terms of fw protection.
    i wanna put PfSense as rotuter/firewall and in the same time keep the accesiblity to ns1.<domain>.net which has all DNS records (A, MX, NS)
    So for example in DMZ i change the ip's fro public to local C e.g *.x.100 i need to have WAN -> DMZ rules for DNS 53, IMAP/POP, web, FTP right?
    it will still be accesible from outside like now?</domain>



  • So for example in DMZ i change the ip's fro public to local C e.g *.x.100 i need to have WAN -> DMZ rules for DNS 53, IMAP/POP, web, FTP right?

    If your server does that all and you want to forward all traffic addressed to this external IP to that server put it in the DMZ with a private net address and add a 1:1 NAT rule to forward all to the server. Otherwise if you need this external IP for other purposes such as to reach the pfSenses web configurator set a separate port forward rule for each port you want to forward.

    If you use 1:1 NAT you have also to set a proper firewall rule for each service. When adding common port forwarding rules you also can pfSense let to add the firewall rules for you.



  • ok.
    thank you.
    I belive i'll use 1:1 setup.