I may be a bit outdated on my knowledge of this... but last time I checked... in a bridged situation, LAN clients were unable to access anything on the bridged interface. Has this changed?
Tim Nelson Technical Consultant Rockbochs Inc. ----- Original Message ----- From: "Gary Buckmaster" <[EMAIL PROTECTED]> To: [email protected] Sent: Monday, August 20, 2007 11:31:18 AM (GMT-0600) America/Chicago Subject: Re: [pfSense Support] Filtered bridge vs 1:1 NAT advice Denny, We currently use a 3-NIC, bridged DMZ setup for our firewall here. This solution works very well for the large number of Internet facing servers. The benefits are exactly what you mentioned and there is no performance issue at all. LAN clients can access the DMZ servers without any additional configuration and its really a pretty slick setup. The only real caveat here is that CARP and bridge mode do not work together. Thus, with this setup, you will not be able to build a redundant firewall cluster using CARP. If this isn't a deal breaker for you, I'd advocate the bridged DMZ setup. -Gary Denny Page wrote: > Hello all, > > I'm looking for advice regarding choosing a Bridge or 1:1 NAT for a > DMZ with pfSense. > > The address space from the ISP is 111.111.111.8/29 within > 111.111.111.0/24. In other words, I get addresses 8-15 within the > class c network. 7 of the 8 address are in use. The current > deployment is using Shorewall running under Linux. > > The hosts in the DMZ are currently using public addresses (.9 through > .14), and the firewall is using .8. The WAN nic on the firewall is > configured as 111.111.111.8/24 and the DMZ nic is configured as > 111.111.111/32 (yes, same IP, different masks). The hosts in the DMZ > are presented to the WAN interface via ProxyArp. Hosts in the DMZ > need to be accessible both from the LAN and from inbound WAN. > > From brief reading and experimentation, it would appear this type of > configuration is not an appropriate choice with pfSense. The > alternatives that appear to be available are moving the DMZ to private > addresses (192.168.2.0/24) and use 1:1 NAT, or to configure the WAN > and DMZ as a filtered bridge. > > Going the 1:1 NAT approach, I will have to re-IP the hosts in the > DMZ. This is painful, but doable. I will also have to redo the > internal dns maps for the DMZ. Annoying, but minor. > > Going the bridging approach feels very much like the current ProxyArp > approach, and allows me to avoid the re-IP. However, most of the > discussion I've read in the mailing lists seem to be rather negative > on this approach. Usually referring to LAN access (no longer an > issue?) and to shaping problems (still an issue?). > > Is there a performance impact with either approach? > > I would appreciate any guidance that anyone can offer. > > Thanks, > > Denny > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
