How to expose a local lan ip to the internet?



  • Hi
    I am new to Pfsense and I have been looking for how to
    create a 'simple Dmz' kind of setup.. like a cheap linksys router
    where you can specify an IP for a 'DMZ' this IP is in the lan
    say 192.168.1.101 and its fully exposed to the internet.

    I have been searching through so many documents but
    nothing seems to be talking about what I want to do..

    I have created some firewall WAN rules that says
    any protocol , any source, any port , goes to 192.168.1.101

    However I did a remote desktop test to the WAN IP but
    it did not work.

    I need to do a couple of these kinds of setup to get things
    going first. I don't care about security, I just want 2 IP.s
    fully exposed to the internet.

    Can someone help me on this?

    Eagleeye?



  • Your rule will not put a dmz on the machine but instead route all traffic to this machine, however if it didn't work you probably did it the wrong way, I suspect the default rule blocking private networks traffic is blocking you for some reason.

    Try it the proper way first by specifying a protocol and port number routed to your machine (ie the rdp port).

    If you really want a DMZ the clean way is a dedicated DMZ interface since the wildcardeds rules will not interfere with the other machines of the same network.



  • you will need to add a NAT rule also.


  • LAYER 8 Moderator

    That sounds like a job for a 1:1 NAT Rule..

    (..and to hell with those "cheap router documentation" for using the word "DMZ" for sth like a 1:1 NAT or a fully exposed host. That has brought so many problems to customers I can't count them anymore >:()



  • @Grey:

    That sounds like a job for a 1:1 NAT Rule..

    Hi Thanks to all that helped, I will try it out later…

    BTW 1:1 NAT does not  allow ...  to local IP. So it seems
    there is no way to configure ANY IP to a local IP using 1:1 NAT.
    Maybe you can elaborate, I am interested !

    I have to use "linksys DMZ Host"  until I find time to do it 'properly'

    Eagleeye



  • The 1:1 NAT will map all traffic from an outside address to an inside address regardless of where it comes from.


  • LAYER 8 Moderator

    That's what I thought he wanted when he was saying "expose 2 IPs to the internet". But now after reading it again I wonder, if he wants two internal IPs exposed to the internet (with only one external). That's a no go. You can't simply forward all traffic from the outside to two internal IPs - that would be like "copying" traffic and neither of the internal hosts would know if that traffic is meant for him.



  • @blak111:

    The 1:1 NAT will map all traffic from an outside address to an inside address regardless of where it comes from.

    Ah yes , thats what I thought, 1:1 NAT does NOT allow the specifying of ... as the Source IP
    to the internal address of 192.168.1.11 for example.
    Since the source user does NOT have a Fixed IP address this wont work.

    OK I realize now that to have 2 IPs configured to have any incoming source 
    does not make sense because the FW will not know how to forward the traffic.

    Eagleeye


Log in to reply