How to expose a local lan ip to the internet?
-
Hi
I am new to Pfsense and I have been looking for how to
create a 'simple Dmz' kind of setup.. like a cheap linksys router
where you can specify an IP for a 'DMZ' this IP is in the lan
say 192.168.1.101 and its fully exposed to the internet.I have been searching through so many documents but
nothing seems to be talking about what I want to do..I have created some firewall WAN rules that says
any protocol , any source, any port , goes to 192.168.1.101However I did a remote desktop test to the WAN IP but
it did not work.I need to do a couple of these kinds of setup to get things
going first. I don't care about security, I just want 2 IP.s
fully exposed to the internet.Can someone help me on this?
Eagleeye?
-
Your rule will not put a dmz on the machine but instead route all traffic to this machine, however if it didn't work you probably did it the wrong way, I suspect the default rule blocking private networks traffic is blocking you for some reason.
Try it the proper way first by specifying a protocol and port number routed to your machine (ie the rdp port).
If you really want a DMZ the clean way is a dedicated DMZ interface since the wildcardeds rules will not interfere with the other machines of the same network.
-
you will need to add a NAT rule also.
-
That sounds like a job for a 1:1 NAT Rule..
(..and to hell with those "cheap router documentation" for using the word "DMZ" for sth like a 1:1 NAT or a fully exposed host. That has brought so many problems to customers I can't count them anymore >:()
-
That sounds like a job for a 1:1 NAT Rule..
…Hi Thanks to all that helped, I will try it out later…
BTW 1:1 NAT does not allow ... to local IP. So it seems
there is no way to configure ANY IP to a local IP using 1:1 NAT.
Maybe you can elaborate, I am interested !I have to use "linksys DMZ Host" until I find time to do it 'properly'
Eagleeye
-
The 1:1 NAT will map all traffic from an outside address to an inside address regardless of where it comes from.
-
That's what I thought he wanted when he was saying "expose 2 IPs to the internet". But now after reading it again I wonder, if he wants two internal IPs exposed to the internet (with only one external). That's a no go. You can't simply forward all traffic from the outside to two internal IPs - that would be like "copying" traffic and neither of the internal hosts would know if that traffic is meant for him.
-
The 1:1 NAT will map all traffic from an outside address to an inside address regardless of where it comes from.
Ah yes , thats what I thought, 1:1 NAT does NOT allow the specifying of ... as the Source IP
to the internal address of 192.168.1.11 for example.
Since the source user does NOT have a Fixed IP address this wont work.OK I realize now that to have 2 IPs configured to have any incoming source
does not make sense because the FW will not know how to forward the traffic.Eagleeye
