Netgate SG-1000 microFirewall

Author Topic: Please help with DMZ  (Read 3818 times)

0 Members and 1 Guest are viewing this topic.

Offline smoked1

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Please help with DMZ
« on: November 14, 2005, 05:50:02 pm »
I have pfsense 0.93 setup as follows:

WAN: 67.153.177.34/27
LAN : 192.168.0.1/24 w/ NAT
DMZ: 67.153.177.43/27

I am trying to set this up so that clients on the network are using NAT on the LAN interface and web server is using public IPs on DMZ interface. What else do I need to do to get the DMZ to work? Do I need to setup VirtualIPs? The web server is already setup to use the public IPs so I am planning on just switching it over to the firewall and be up and running. I have never setup a firewall to allow nodes to use public IPs this way. I have always used NAT.

Offline lsf

  • Wireless Expert
  • Hero Member
  • *****
  • Posts: 3263
  • Karma: +5/-0
    • View Profile
Re: Please help with DMZ
« Reply #1 on: November 14, 2005, 07:24:08 pm »
Just configure your DMZ with public IP's.
And create any needed rules.
-lsf

Offline smoked1

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Please help with DMZ
« Reply #2 on: November 16, 2005, 11:50:23 pm »
I managed this by bridging the DMZ interface with the WAN interface and then creating firewall rules for it.

submicron

  • Guest
Re: Please help with DMZ
« Reply #3 on: November 21, 2005, 11:08:17 pm »
Bridging OPT1 with WAN was what I did and its, by far, one of the simplest configurations.  Be aware that this will make it impossible to configure CARP fail over. 

Alternatively you could use Proxy Arp, which would require some minor configuration of your DMZ machines.  This (I think) will also break CARP fail over, and frankly, I can't think of any good reason to use this solution verus bridging the two interfaces.

Finally, you could alias a bunch of IP addresses to WAN and use 1:1 NAT.  This is the most intrusive solution in terms of configuring your DMZ machines, but it means you can use CARP failover without drama and would allow you to obscure the actual IP addresses of your DMZ machines.