Advice Needed Regarding pfSense with DMZ interface and Public IPs



  • Hello,

    Through my ISP provider I have block of IPs which I want to use for my DMZ interface (web server, mail server, ftp server). I’m currently got version 2.1.5 pfSense installed where pfSense is setup as PPPOE using my username and password to get access to the internet through the LAN interface which is working and my ADSL modem router set in Bridge mode. The LAN interface is set at the default subnet 192.168.1.1.

    Is it preferable to have the ADSL modem set with the PPPOE credentials and have the WAN interface of pfSense setup using the static IP configuration option using the first Public IP as the gateway and next Public IP as the IP address or my current setup where the first public IP is set at the DMZ NIC; not sure if this will work.

    Was also reading about 1:1 NAT where the Public IPs are pointing to the private IPs on the machine
    216.xxx.xx.xx -> 172.16.0.2

    Are there any good tutorials regarding DMZ setup with Public IPs.

    Any help would be much appreciated.

    Karl



  • I can't answer your PPPoE questions, but I use a range of public IPs that I map to DMZ'd servers.  Use Firewall - Virtual IPs to have pfSense handle your public IP addresses.  Then create a port-forward for each service via Firewall - NAT - Port Forward that maps one of the Virtual IPs to an LAN IP address and port.  Create firewall rules so that anything in DMZ only has access to WAN, not LAN.  ALso add a rule so that DMZ doesn't have access to any pfSense admin interfaces, like blocking access to ports 80/443 on DMZ Address.



  • Use Firewall - Virtual IPs to have pfSense handle your public IP addresses.

    Yes I'm aware of the Virtual IPs I'm just not sure how to setup the Public IPs and Private IPs.

    Example if I have my web server NIC is set at 172.16.0.2 would the DMZ NIC on the pfSense box need to have it's IP set at the same subnet 172.16.0.1 as its gateway. I'm coming from windows server and ISA 2006 environment. I'm just having a hard time grasping pfSense.



  • pfSense is no different than any other router at the network level.  If your DMZ subnet is 172.16.0.0/24 then your other servers should also be in that same subnet.  Then you can use firewall rules to cordon off the DMZ from other network segments.