Routing with DMZ, VLANs, WAN passthrough, and Sonic Wall



  • Sorry for the confusing title, but I am having trouble coming up with a name for this issue I am having. I also apologize in advanced if this is in the wrong forum.

    Here is my situation:

    I have a block of 13 IP's from my ISP (Comcast) that come out of their business gateway/modem. I have a pfsense box that I just set up with two physical interfaces. In my first interface, I have an uplink from the modem. My second interface is connected to my switch (Netgear GS748t).

    Within the pfsense configuration, I have built 6 VLANs and 1 Bridge. 5 of the VLANs are set up for various things such as security cameras, public wifi, etc. The remaining VLAN is a "DMZ" that I have set up to pass some of the IP's of the business gateway directly through. The bridge is set up with the following members: WAN, DMZ.

    Interface setup:

    • WAN - re1

    • LAN - re0

    • DMZ - VLAN 8 - re0

    • MANAGEMENT - VLAN 9 - re0 (192.168.9.0/24)

    • CAMERAS - VLAN 40 - re0 (192.168.40.0/24)

    • NON_PCI_LAN - VLAN 30 - re0 (192.168.30.0/24)

    • DMZBRIDGE - Bridge WAN, DMZ

    • NON_PCI_OTHER - VLAN 31 - re0 (192.168.31.0/24)

    • NON_PCI_PUBLIC - VLAN 32 - re0 (192.168.32.0/24)

    Within the DMZ ( VLAN 8 ) on my switch, I have various servers attached which have public IPs assigned to them out of the block, and a Sonic Wall appliance, and here is where it gets confusing for me. All of the other VLANs besides the DMZ work as intended, even the DMZ works for the most part. Behind the Sonic Wall I have a bunch of workstations. The workstations all function properly and can see out onto the internet. The issue is trying to get the workstations behind the sonic wall to see the other VLANs set up in pfsense (VLAN 40 in particular).

    I have set up virtual IP's and proper firewall rules so that I can see into VLAN 40 if I am on a separate network (off-site, for instance), but I am unable to see it from behind the Sonic Wall. From that DMZ, if I try and browse to the WAN IP's (virtual IPs) assigned to the VLAN, it takes me to the pfsense web GUI, rather than the expected services.

    Network Layout (Want to somehow connect the bolded):

    Modem -> pfsense -> VLAN 40
                        |
                        –-----> DMZ -> Sonic Wall - > Workstation

    Somehow I need to build a route to connect them, but this is where I'm lost.

    Additional notes:

    • The Sonic Wall is provided by an outside vendor, I don't have access

    • Everything works as intended, besides this routing issue

    A days worth of trial and error, google-fu, and caffeine have not netted me the result I have wanted, so I am turing to these forums to see if anyone has the same issue, or if what I'm asking is crazy.

    Any feedback on this issue would be greatly appreciated!



  • Unsolicited traffic will be blocked. Remember because you bridged your DMZ to your WAN in order for your sonic wall traffic to get to your Vlan 40 traffic it would have to come from the outside -> In which is typically blocked. Also I would imagine your vlan 40 traffic is a private IP address range and private IP address are not routable on the Internet.



  • It sounds like a NAT reflection issue or similar? I guess you are using the public DNS name or public IP address to access systems in VLAN40, but the devices behind the SonicWall really only go in and out of the pfSense box to get to VLAN40.

    If you are forwarding public IPs on pfSense in to the VLAN40 devices that have private IPs in VLAN40, then try accessing the devices using the private IP addresses. That should work. Like mikeisfly mentions, you will need suitable firewall rules to make sure the traffic is allowed.

    Once you have that working, then make slpit-DNS on the pfSense - in the DNS Forwarder or Resolver, put host overrides for the public names that will internally resolve to the internal private IPs. That way, when you use the names from your inside network they will resolve to the internal private IP addresses and work. Users from the outside will resolve the names to the public IP addresses and also work like they do now.


Log in to reply