Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    Firewall only, no NAT (All Public IPs behind PfSenseFW)

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mslaga
      last edited by

      To help clarify what I am trying to do, I've included a visio drawing.

      I'm planning to use pfSense to create an isolated two layer DMZ (Presentation DMZ with public IPs, and a Hosted DMZ with private IPs).

      I'm good with the configuration on the hosted DMZ firewall, that's pretty basic configuration there.  Where I would like some advice is with the External to Presentation DMZ configuration.

      I have a 28 bit public IP range from our ISP where the pfSense router will use one of those IPs as it's WAN interface.  However, I will need to assign public IPs in the same subnet to servers located in the presentation DMZ.  These servers (essentially proxies) are dual-homed (2 NICs) that span both the Presentation DMZ and Hosted DMZ subnets.  One NIC will have a public IP (Pres DMZ), the other has a private IP (Hosted DMZ).

      Since the WAN IP and the host behind it will be on the same IP range, I know that will have some potential issues. 
      To do this with pfSense, would it be best to use 1:1 NATs instead?  That would mean the Presentation and Hosted DMZs would each have private IP subnets instead of public IPs.

      I'm open to suggestions, thanks in advance.

      Matt

      DMZDrawing-v1.0.jpg
      DMZDrawing-v1.0.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        I have a 28 bit public IP range from our ISP where the pfSense router will use one of those IPs as it's WAN interface.  However, I will need to assign public IPs in the same subnet to servers located in the presentation DMZ.

        That is not how you put a public network behind a router/firewall..  You would need this /28 actually routed to you.. Vs being just a leg of the isp network that they gave you some IPs in…  They should route this /28 to you via a transit network.  Then you can put that network behind any router/firewall you want.

        If you can not get it routed to you, and you want to completely expose these devices then sure just do a 1:1 nat for these servers would be the best option.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.11.1 | Lab VMs 2.8.1, 25.11.1

        1 Reply Last reply Reply Quote 0
        • M Offline
          mslaga
          last edited by

          I completely agree, a separate fully routed public IP network would be best, but is not an option in this case.

          Other than 1:1 NAT, if I configured the presentation DMZ with private addresses can I assign different public IPs on the FW to the internal hosts?  Would that be with 'Virtual IPs' in pfSense?

          I've done similar configurations with Cisco PIX/ASA with statics, just trying to figure out the naming pfSense uses.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            I've done similar configurations with Cisco PIX/ASA with statics, just trying to figure out the naming pfSense uses.

            Right. static NAT on an ASA is like 1:1 NAT on pfSense. Assign the VIP to WAN and 1:1 NAT it to the real IP.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.