Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DMZ con IP's publicas reales y NAT

    Scheduled Pinned Locked Moved Español
    2 Posts 1 Posters 4.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 0
      0ren
      last edited by

      Hola a todos.

      LLevo más de un año usando Pfsense sin problemas, pero necesito añadir otro para conectar la red de servidores privados y publicos a internet, los servidores necesitan IP's publicas reales (por cuestiones de certificados).El hadware que he empleado es un compaq Proliant DL360 con 2 targetas de red de 1g internas más dos 3com de 100mb añadidas. La intención es tener una Lan, Wan, DMZ y otra sin uso por el momento.
      El proveedor de internet y de Hosting me conecta con un router con IP privada 172.x.x.35/29 por lo que en la WAN tengo  la 172.x.x.35/29. en la DMZ tendré una IP pública 213.x.x.129/29  y varios servidores con IP's tambien publicas 213.x.x.130, 213.x.x.131  etc…
      Para la LAN  de servidores tengo 10.1.1.125/25 con un router a nuestras oficinas 10.1.1.1 , nuestras oficinas son 192.168.68.0/24.

      Entiendo que para que los servidores salgan y sean visibles se necesita NAT 1:1  pero me imagino  de la siguiente forma:

      WAN  213.x.x.130/32  213.x.x.130/32  Correo

      WAN  213.x.x.131/32  213.x.x.131/32  Blackberry

      WAN  213.x.x.132/32  213.x.x.132/32  Web

      Y para que los servidores privados y mi red puedan tener internet necesitaré cambiar AON  de la siguiente forma:

      Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description

      DMZ        any            *            *                  *                *              *          NO Auto created rule for LAN

      Si opinais de distinta forma por favor apreciaria vuestros comentarios.

      1 Reply Last reply Reply Quote 0
      • 0
        0ren
        last edited by

        Al final he conseguido hacerlo funcionar, y me funciona todo. 
        El truco fue poner una IP Virtual en la misma red DMZ , por lo que el PfSense consume dos IP´s de Internet reales.

        Esta es la configuración:

        <pfsense><version>3.0</version>
        <lastchange><theme>metallic</theme>
        <system><optimization>normal</optimization>
        <hostname>pfsense</hostname>
        <domain>domain.es</domain>
        <username>admin</username>
        <password></password>
        <timezone>Europe/Madrid</timezone>
        <time-update-interval><timeservers>pool.ntp.org</timeservers>
        <webgui><protocol>https</protocol>
        <certificate><private-key></private-key></certificate></webgui>
        <disablenatreflection>yes</disablenatreflection>
        <ssh><authorizedkeys></authorizedkeys></ssh>
        <enablesshd>yes</enablesshd>
        <disableconsolemenu><maximumstates><shapertype><dnsserver>213.4.194.4</dnsserver>
        <dnsserver>10.1.0.4</dnsserver>
        <dnsallowoverride></dnsallowoverride></shapertype></maximumstates></disableconsolemenu></time-update-interval></system>
        <interfaces><lan><if>fxp0</if>
        <ipaddr>10.1.1.125</ipaddr>
        <subnet>25</subnet>
        <media><mediaopt><bandwidth>100</bandwidth>
        <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>
        <wan><if>xl0</if>
        <mtu><blockpriv><media><mediaopt><bandwidth>100</bandwidth>
        <bandwidthtype>Mb</bandwidthtype>
        <spoofmac><disableftpproxy><ipaddr>172.17.192.36</ipaddr>
        <subnet>29</subnet>
        <gateway>172.17.192.35</gateway></disableftpproxy></spoofmac></mediaopt></media></blockpriv></mtu></wan>
        <opt1><if>fxp1</if>
        <descr>DMZ</descr>
        <bridge><enable><ipaddr>213.x.x.129</ipaddr>
        <subnet>29</subnet>
        <gateway><spoofmac></spoofmac></gateway></enable></bridge></opt1>
        <opt2><if>xl1</if>
        <descr>NETLAN</descr>
        <bridge><ipaddr>192.168.60.2</ipaddr>
        <subnet>24</subnet>
        <gateway>192.168.60.1</gateway>
        <spoofmac></spoofmac></bridge></opt2></interfaces>
        <staticroutes><route><interface>lan</interface>
        <network>10.1.0.0/25</network>
        <gateway>10.1.1.1</gateway>
        <descr>Red Tic</descr></route>
        <route><interface>lan</interface>
        <network>192.168.68.0/24</network>
        <gateway>10.1.1.1</gateway>
        <descr>Red Oficina</descr></route>
        <route><interface>lan</interface>
        <network>192.168.79.128/25</network>
        <gateway>10.1.1.1</gateway>
        <descr>Red Tic</descr></route></staticroutes>
        <pppoe><username><password></password></username></pppoe>
        <pptp><username><password><local></local></password></username></pptp>
        <bigpond><dyndns><type>dyndns</type>
        <username><password></password></username></dyndns>
        <dhcpd><lan><range><from>10.1.1.10</from>
        <to>10.1.1.245</to></range>
        <defaultleasetime><maxleasetime><netmask><failover_peerip><gateway><ddnsdomain><next-server><filename></filename></next-server></ddnsdomain></gateway></failover_peerip></netmask></maxleasetime></defaultleasetime></lan></dhcpd>
        <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
        <ovpn><dnsmasq><enable><domainoverrides><domain>nmasuno.com</domain>
        <ip>10.1.0.11</ip>
        <descr>ad.nmasuno.com</descr></domainoverrides></enable></dnsmasq>
        <snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
        <diag><ipv6nat></ipv6nat></diag>
        <bridge><syslog><nat><ipsecpassthru><advancedoutbound><rule><source>
        <network>10.1.1.0/25</network>

        <sourceport><descr>Nat de salida para LAN</descr>
        <target>213.x.x.133</target>
        <interface>wan</interface>
        <destination><any></any></destination>
        <natport></natport></sourceport></rule>
        <rule><source>
        <network>10.1.0.0/25</network>

        <sourceport><descr>Nat de salida para LAN</descr>
        <target>213.x.x.133</target>
        <interface>wan</interface>
        <destination><any></any></destination>
        <natport></natport></sourceport></rule>
        <rule><source>
        <network>192.168.79.0/25</network>

        <sourceport><descr>Nat de salida para LAN</descr>
        <target>213.x.x.133</target>
        <interface>wan</interface>
        <destination><any></any></destination>
        <natport></natport></sourceport></rule>
        <rule><source>
        <network>192.168.68.0/25</network>

        <sourceport><descr>Nat de salida para LAN</descr>
        <target>213.x.x.133</target>
        <interface>wan</interface>
        <destination><any></any></destination>
        <natport></natport></sourceport></rule>
        <rule><source>
        <network>172.17.192.36/32</network>

        <sourceport><descr>Nat de salida para LAN</descr>
        <target>213.x.x.133</target>
        <interface>wan</interface>
        <destination><any></any></destination>
        <natport></natport></sourceport></rule>
        <enable></enable></advancedoutbound></ipsecpassthru></nat>
        <filter><rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <any><destination><address>213.x.x.131</address>

        <port>80</port></destination>
        <descr>HTTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <any><destination><address>213.x.x.132</address>

        <port>80</port></destination>
        <descr>HTTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <any><destination><address>CORREO</address>

        <port>443</port></destination>
        <descr>HTTPs</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <any><destination><address>CORREO</address>

        <port>465</port></destination>
        <descr>SMTP/s</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <any><destination><address>CORREO</address>

        <port>993</port></destination>
        <descr>IMAP4/s</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <any><destination><address>CORREO</address>

        <port>25</port></destination>
        <descr>SMTP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <any><destination><address>CORREO</address>

        <port>143</port></destination>
        <descr>IMAP</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>wan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <any><destination><address>Blackberry</address>

        <port>3101</port></destination>
        <descr>BLACKBERRY</descr></any></os></statetimeout></max-src-states></max-src-nodes></rule>

        <rule><type>pass</type>
        <interface>opt1</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>icmp</protocol>
        <source>
        <any><destination><any></any></destination>
        <disabled><descr>Ping</descr></disabled></any></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>opt1</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp/udp</protocol>
        <source>
        <network>opt1</network>

        <destination><network>lan</network>
        <port>1433-1434</port></destination>
        <descr>SQL server</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>opt1</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp/udp</protocol>
        <source>
        <network>opt1</network>

        <destination><any><port>25</port></any></destination>
        <descr>SMTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>opt1</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <network>opt1</network>

        <destination><any><port>80</port></any></destination>
        <descr>HTTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>opt1</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <network>opt1</network>

        <destination><any><port>443</port></any></destination>
        <descr>HTTPs</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>opt1</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp/udp</protocol>
        <source>
        <network>opt1</network>

        <destination><any><port>53</port></any></destination>
        <descr>DNS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp/udp</protocol>
        <source>

        <address>LanTic</address>

        <destination><network>opt1</network>
        <port>Samba</port></destination>
        <descr>SMB > DMZ</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <network>lan</network>

        <destination><any><port>80</port></any></destination>
        <descr>HTTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp/udp</protocol>
        <source>
        <network>lan</network>

        <destination><any><port>53</port></any></destination>
        <descr>DNS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <network>lan</network>

        <destination><any><port>23</port></any></destination>
        <descr>TELNET</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <network>lan</network>

        <destination><any><port>25</port></any></destination>
        <descr>SMTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <network>lan</network>

        <destination><any><port>143</port></any></destination>
        <descr>IMAP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <network>lan</network>

        <destination><any><port>443</port></any></destination>
        <descr>HTTPS</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <network>lan</network>

        <destination><any><port>21</port></any></destination>
        <descr>FTP</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp/udp</protocol>
        <source>
        <network>lan</network>

        <destination><any><port>123</port></any></destination>
        <descr>TIME</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp</protocol>
        <source>
        <network>lan</network>

        <destination><address>127.0.0.1</address>

        <port>8000-8090</port></destination>
        <descr>FTP (IEXPLORER)</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>icmp</protocol>
        <source>

        <address>LanTic</address>

        <destination><any></any></destination>
        <disabled><descr>SMB > WEB</descr></disabled></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>block</type>
        <interface>lan</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>

        <source>
        <any><destination><any></any></destination>
        <log><descr>BLOCK</descr></log></any></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>enc0</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp/udp</protocol>
        <source>
        <any><destination><address>192.168.79.128/25</address>

        <port>3200-3201</port></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>enc0</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>tcp/udp</protocol>
        <source>
        <any><destination><address>192.168.79.128/25</address>

        <port>3299</port></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
        <rule><type>pass</type>
        <interface>enc0</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><protocol>icmp</protocol>
        <source>
        <any><destination><address>192.168.79.128/25</address></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>

        <rule><type>block</type>
        <interface>enc0</interface>
        <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
        <os><source>
        <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
        <bypassstaticroutes></bypassstaticroutes></filter>
        <shaper><aliases><alias><name>CORREO</name>

        <address>213.x.x.130</address>

        <descr>Servidor de CORREO</descr>
        <type>host</type>
        <detail>Entry added Tue, 24 Jun 2008 12:49:33 +0200||</detail></alias>
        <alias><name>LanTic</name>

        <address>10.1.0.0/25 10.1.1.0/25 192.168.79.128/25</address>

        <descr>Red del TIC</descr>
        <type>network</type>
        <detail>Entry added Wed, 02 Jul 2008 17:28:54 +0200||Entry added Wed, 02 Jul 2008 17:28:54 +0200||Entry added Wed, 02 Jul 2008 17:28:54 +0200||</detail></alias>
        <alias><name>Oficina</name>

        <address>192.168.68.0/24</address>

        <descr>Red de Oficina</descr>
        <type>network</type>
        <detail>Entry added Wed, 25 Jun 2008 09:43:29 +0200||</detail></alias>

        <alias><name>RouterTic</name>

        <address>10.1.1.1</address>

        <descr>Router Tic Red privada</descr>
        <type>host</type>
        <detail>Entry added Wed, 25 Jun 2008 09:44:31 +0200||</detail></alias>

        <alias><name>Samba</name>

        <address>137 138 139 445</address>

        <descr>Red microsoft</descr>
        <type>port</type>
        <detail>Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||Entry added Wed, 02 Jul 2008 16:13:11 +0200||</detail></alias>
        <alias><name>WEB</name>

        <address>213.x.x.132</address>

        <descr>SERVIDOR WEB</descr>
        <type>host</type>
        <detail>Entry added Tue, 24 Jun 2008 12:50:52 +0200||</detail></alias></aliases>
        <proxyarp><cron><minute>0</minute>
        <hour></hour>
        <mday>
        </mday>
        <month></month>
        <wday>
        </wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 newsyslog
        <minute>1,31</minute>
        <hour>0-5</hour>
        <mday></mday>
        <month>
        </month>
        <wday></wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 adjkerntz -a
        <minute>1</minute>
        <hour>3</hour>
        <mday>1</mday>
        <month>
        </month>
        <wday></wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh
        <minute>
        /60</minute>
        <hour></hour>
        <mday>
        </mday>
        <month></month>
        <wday>
        </wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
        <minute>1</minute>
        <hour>1</hour>
        <mday></mday>
        <month>
        </month>
        <wday></wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /etc/rc.dyndns.update
        <minute>
        /60</minute>
        <hour></hour>
        <mday>
        </mday>
        <month></month>
        <wday>
        </wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
        <minute>/60</minute>
        <hour>
        </hour>
        <mday></mday>
        <month>
        </month>
        <wday></wday>
        <who>root</who>
        <command></command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c
        <minute>
        /5</minute>
        <hour></hour>
        <mday>
        </mday>
        <month></month>
        <wday>
        </wday>
        <who>root</who>
        <command></command>/usr/local/bin/checkreload.sh
        <minute>/5</minute>
        <hour>
        </hour>
        <mday></mday>
        <month>
        </month>
        <wday></wday>
        <who>root</who>
        <command></command>/etc/ping_hosts.sh
        <minute>
        /140</minute>
        <hour></hour>
        <mday>
        </mday>
        <month></month>
        <wday>
        </wday>
        <who>root</who>
        <command></command>/usr/local/sbin/reset_slbd.sh</cron>
        <wol><installedpackages></installedpackages>
        <vlans><revision><description>/firewall_rules_edit.php made unknown change</description>
        <time>1215020747</time></revision>
        <rrd><enable></enable></rrd>
        <virtualip><vip><mode>proxyarp</mode>
        <interface>wan</interface>
        <descr>IP de Salida NAT</descr>
        <type>single</type>
        <subnet_bits>32</subnet_bits>
        <subnet>213.x.x.133</subnet></vip></virtualip></vlans></wol></proxyarp></shaper></syslog></bridge></ovpn></bigpond></lastchange></pfsense>

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.