> > Well my WAN has one of my 5 public IP's. I have 75.xx.xx.25 - .29 > > with a gateway of .30 > > So I have a few other public IP's on servers that I wanted on a > > DMZ. Just port 80 actually. > > So I want traffic on port 80 coming in through WAN getting routed > > to .27 which is on the DMZ. That way people hit my domain they get > > that box. > > So far I am not having luck getting this to work. I certainly have > > a misunderstanding, I am just not sure what. > > -Jason > Ok, so it sounds like your provider handed you a /29. To firewall > that behind pfSense, you need them to route that /29 to you over a > /30. The /30 goes on the WAN interface, the /29's gateway IP goes > on your DMZ interface. > You can use bridging mode to work around this, but the right way to > do it is with routing as described above. > Nathan Eisenberg
While I agree with Nathan about which is the "right" way to do it, the vast majority of ISPs won't have a clue what you're talking about. Or, like most ISPs here, you might find someone who understands, but tells you they simply can't do it (or don't offer that as a product). There's a very high probability you'll be forced to do it the 'wrong' way, at which point you do have more than one option. Port forwarding is a common solution to this problem, more so than bridging in my experience. You bind the entire /29 range of IPs to the public (WAN) interface on your firewall, and use two different private address ranges on your DMZ and your LAN. Set up port-forwarding from the WAN to the DMZ interface, and then use regular firewall rules to regulate traffic between the LAN and the DMZ. One notable downside to this technique is that is pretty much calls for split DNS; if your outside service is known as "www.mycompany.com" which resolves to (e.g.) 75.0.0.27, which is bound to the WAN and port-forwards to (e.g.) 192.168.200.27 (on the DMZ), you may want to enter an override in pfSense's DNS server so that when LAN clients request the IP for "www.mycompany.com" they get directed straight to 192.168.100.27 without going through the port forwarding. Or you can just rely on the NAT Reflection feature if you don't want to use split DNS, but that creates some subtle issues with certain applications and protocols. I find that split DNS works best, as long as ALL the systems are pointing to your pfSense box for DNS resolution. (Or to another DNS server, it doesn't matter as long as every system behind the firewall sees the same information.) The alternative is, as Nathan mentioned, bridging, wherein you either set up two firewalls (one in transparent mode, one in NAT mode), or a very complex setup on a single firewall. Note that doing anything other than "right" solution (routing it properly) will increase the amount of horsepower you need in a firewall, and probably slightly decrease overall throughput. This decrease may be negligible if you're running pfSense on a fast-enough server, and you probably won't be able to notice it anyway if you aren't running gigabit Ethernet speeds. -Adam Thompson [email protected] _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
