[pfSense] pfSense help with creating rules

Thu Feb 9 20:45:17 EST 2012

> > Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29
> > with a gateway of .30
> > So I have a few other public IP's on servers that I wanted on a
> > DMZ.  Just port 80 actually.
> > So I want traffic on port 80 coming in through WAN getting routed
> > to .27 which is on the DMZ. That way people hit my domain they get
> > that box.
> > So far I am not having luck getting this to work. I certainly have
> > a misunderstanding, I am just not sure what.
> > -Jason
> Ok, so it sounds like your provider handed you a /29.  To firewall
> that behind pfSense, you need them to route that /29 to you over a
> /30.  The /30 goes on the WAN interface, the /29's gateway IP goes
> on your DMZ interface.
> You can use bridging mode to work around this, but the right way to
> do it is with routing as described above.
> Nathan Eisenberg

While I agree with Nathan about which is the "right" way to do it, the 
vast majority of ISPs won't have a clue what you're talking about.  Or, 
like most ISPs here, you might find someone who understands, but tells you 
they simply can't do it (or don't offer that as a product).  There's a 
very high probability you'll be forced to do it the 'wrong' way, at which 
point you do have more than one option.

Port forwarding is a common solution to this problem, more so than 
bridging in my experience.  You bind the entire /29 range of IPs to the 
public (WAN) interface on your firewall, and use two different private 
address ranges on your DMZ and your LAN.  Set up port-forwarding from the 
WAN to the DMZ interface, and then use regular firewall rules to regulate 
traffic between the LAN and the DMZ.

One notable downside to this technique is that is pretty much calls for 
split DNS; if your outside service is known as "www.mycompany.com" which 
resolves to (e.g.) 75.0.0.27, which is bound to the WAN and port-forwards 
to (e.g.) 192.168.200.27 (on the DMZ), you may want to enter an override 
in pfSense's DNS server so that when LAN clients request the IP for 
"www.mycompany.com" they get directed straight to 192.168.100.27 without 
going through the port forwarding.

Or you can just rely on the NAT Reflection feature if you don't want to 
use split DNS, but that creates some subtle issues with certain 
applications and protocols.  I find that split DNS works best, as long as 
ALL the systems are pointing to your pfSense box for DNS resolution.  (Or 
to another DNS server, it doesn't matter as long as every system behind 
the firewall sees the same information.)

The alternative is, as Nathan mentioned, bridging, wherein you either set 
up two firewalls (one in transparent mode, one in NAT mode), or a very 
complex setup on a single firewall.

Note that doing anything other than "right" solution (routing it properly) 
will increase the amount of horsepower you need in a firewall, and 
probably slightly decrease overall throughput.  This decrease may be 
negligible if you're running pfSense on a fast-enough server, and you 
probably won't be able to notice it anyway if you aren't running gigabit 
Ethernet speeds.

-Adam Thompson
 athompso at athompso.net