Dumb question, I think I need a DMZ?

  • Hey all,

    Know this is probably a dumb question. I need to set up my pfsense to allow an outside entity to access a device on my internal network for repair. Its just temporary.

    They are asking for a public IP

    How do I do best do this while protecting the rest of my network?


  • If this was permanent and was going to be publicly available - like a web server, for instance - I'd suggest a DMZ would be best. If this is just a one-off repair of something in your LAN, then set up a port-forward pointing to your internal device but limiting the source to the external IP address of the 'outside entity' only. Once they've made the repair - whatever that is - just disable or remove the port forward. The port forward will be limited to just the target, so the rest of your LAN will be unaffected (assuming the target device isn't a server with access to the rest of your network and the service you're providing isn't RDP or SSH, for instance).

  • Thank you for the advice.

    Steps so I do it right,  please?

    Also can I lock the forward so it only accepts from the support IP?

  • LAYER 8 Global Moderator

    He already gave you the details - create a forward with the source locked to their IP..  Do you need a picture or something?

    So here is a port forward setup to send 80 to specific IP on my lan, and only if comes from one of those specific IPs its allowed..

  • @Honeybadger:

    Also can I lock the forward so it only accepts from the support IP?

    I said that you could limit the source to the IP of the 'outside entity'. I would strongly suggest doing this, particularly if you're granting any form of administrative access.

    I'll do one better than a picture and post this link to a video. Hopefully this will be enough to give you an idea of the steps involved: https://www.youtube.com/watch?v=28dmUzOGI50

    PS: Google is your friend. Get to know him.

Log in to reply