Hello all,
I'm looking for advice regarding choosing a Bridge or 1:1 NAT for a
DMZ with pfSense.
The address space from the ISP is 111.111.111.8/29 within
111.111.111.0/24. In other words, I get addresses 8-15 within the
class c network. 7 of the 8 address are in use. The current
deployment is using Shorewall running under Linux.
The hosts in the DMZ are currently using public addresses (.9
through .14), and the firewall is using .8. The WAN nic on the
firewall is configured as 111.111.111.8/24 and the DMZ nic is
configured as 111.111.111/32 (yes, same IP, different masks). The
hosts in the DMZ are presented to the WAN interface via ProxyArp.
Hosts in the DMZ need to be accessible both from the LAN and from
inbound WAN.
From brief reading and experimentation, it would appear this type of
configuration is not an appropriate choice with pfSense. The
alternatives that appear to be available are moving the DMZ to
private addresses (192.168.2.0/24) and use 1:1 NAT, or to configure
the WAN and DMZ as a filtered bridge.
Going the 1:1 NAT approach, I will have to re-IP the hosts in the
DMZ. This is painful, but doable. I will also have to redo the
internal dns maps for the DMZ. Annoying, but minor.
Going the bridging approach feels very much like the current ProxyArp
approach, and allows me to avoid the re-IP. However, most of the
discussion I've read in the mailing lists seem to be rather negative
on this approach. Usually referring to LAN access (no longer an
issue?) and to shaping problems (still an issue?).
Is there a performance impact with either approach?
I would appreciate any guidance that anyone can offer.
Thanks,
Denny
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
