Transparent DMZ firewall and NAT'ed LAN



  • Hello,

    I'm trying to achieve this:
    I have a WAN side, a LAN side and a DMZ side, each on its own interface.
    The LAN should be NATed (and that works out of the box).
    The DMZ is a bit special, because I'm lucky enough (?) to have an ISP that allows me to use several public IP's, but they're handed out via DHCP and can be from one /22 range and one /24 range, for some reason. So, for my DMZ I want pfSense to be transparent so that my servers can get public IP's. I do NOT want my DMZ interface to use up an adress in those public spans, and I see no reason it should have an IP at all.
    The WAN side gets a public address via DHCP in one of the two mentioned /22 and /24 spans.

    I created a bridge with the WAN and DMZ interfaces. I had to reboot to make that work, but now I can reach internet from my NATed LAN. I added an IPv4->Any rule for the DMZ interface and the server can reach internet, but it cannot be reached FROM the internet. (I.e. it can ping 8.8.8.8, but I cannot ping it from another connection). Also I cannot reach it from LAN.

    I added a rule on the WAN interface allowing any IPv4 with destinations in the public /22 and /24 spans. Still the same result, but the firewall logs now show the blocked traffic and says it's blocked due to fragmentation. I see no reason why it would be fragmented.

    Any suggestions?

    As a side note I also tried a different approach where I added another interface, a DMZ "outside" interface, connected to the WAN side. I didn't give it an adress configuration, bridged it to the "inner" DMZ interface and added IPv4 Any<->Any rules for both interfaces. Then the server could be reached from outside, but not from lan. Blocked packets seemed to be stopped, once again, by the fragmentation rule.

    Also, this is all done on a KVM machine, so both the DMZ server and pfSense are virtualized. WAN and LAN are bridges on the host, connected to physical interfaces, and DMZ is a virtual lan connected to the server.

    /Martin



  • Could you add your WAN & DMZ interfaces to a bridge interface?

    Then there would be no broadcast domain separation between them (virtual wire) and you could still apply rules to the DMZ interface



  • To quote myself:
    "I created a bridge with the WAN and DMZ interfaces. I had to reboot to make that work, but now I can reach internet from my NATed LAN. I added an IPv4->Any rule for the DMZ interface and the server can reach internet, but it cannot be reached FROM the internet. (I.e. it can ping 8.8.8.8, but I cannot ping it from another connection). Also I cannot reach it from LAN."



  • I am having the same problem. I am using 2.1.5

    WAN -> Phy.interface (Public IP from ISP)
    LAN -> phy.interface
    Bridged WAN AND LAN

    Check on the Internet and all the guide (Filtering Bridge Mode). nothing work for me.