[pfSense] pfSense help with creating rules
athompso at athompso.net
Thu Feb 9 20:45:17 EST 2012
> > Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29
> > with a gateway of .30
> > So I have a few other public IP's on servers that I wanted on a
> > DMZ. Just port 80 actually.
> > So I want traffic on port 80 coming in through WAN getting routed
> > to .27 which is on the DMZ. That way people hit my domain they get
> > that box.
> > So far I am not having luck getting this to work. I certainly have
> > a misunderstanding, I am just not sure what.
> > -Jason
> Ok, so it sounds like your provider handed you a /29. To firewall
> that behind pfSense, you need them to route that /29 to you over a
> /30. The /30 goes on the WAN interface, the /29's gateway IP goes
> on your DMZ interface.
> You can use bridging mode to work around this, but the right way to
> do it is with routing as described above.
> Nathan Eisenberg
While I agree with Nathan about which is the "right" way to do it, the
vast majority of ISPs won't have a clue what you're talking about. Or,
like most ISPs here, you might find someone who understands, but tells you
they simply can't do it (or don't offer that as a product). There's a
very high probability you'll be forced to do it the 'wrong' way, at which
point you do have more than one option.
Port forwarding is a common solution to this problem, more so than
bridging in my experience. You bind the entire /29 range of IPs to the
public (WAN) interface on your firewall, and use two different private
address ranges on your DMZ and your LAN. Set up port-forwarding from the
WAN to the DMZ interface, and then use regular firewall rules to regulate
traffic between the LAN and the DMZ.
One notable downside to this technique is that is pretty much calls for
split DNS; if your outside service is known as "www.mycompany.com" which
resolves to (e.g.) 188.8.131.52, which is bound to the WAN and port-forwards
to (e.g.) 192.168.200.27 (on the DMZ), you may want to enter an override
in pfSense's DNS server so that when LAN clients request the IP for
"www.mycompany.com" they get directed straight to 192.168.100.27 without
going through the port forwarding.
Or you can just rely on the NAT Reflection feature if you don't want to
use split DNS, but that creates some subtle issues with certain
applications and protocols. I find that split DNS works best, as long as
ALL the systems are pointing to your pfSense box for DNS resolution. (Or
to another DNS server, it doesn't matter as long as every system behind
the firewall sees the same information.)
The alternative is, as Nathan mentioned, bridging, wherein you either set
up two firewalls (one in transparent mode, one in NAT mode), or a very
complex setup on a single firewall.
Note that doing anything other than "right" solution (routing it properly)
will increase the amount of horsepower you need in a firewall, and
probably slightly decrease overall throughput. This decrease may be
negligible if you're running pfSense on a fast-enough server, and you
probably won't be able to notice it anyway if you aren't running gigabit
athompso at athompso.net
More information about the List