pfSense as front end for /24
-
OK, I need to use pfSense as a front end for my public /24 based on the fact my ISP is handing off a router allocation of /29 (https://forum.netgate.com/topic/166652/24-from-cogent/6)
Would I simply put the WAN on the /29 and the LAN on .1 0f my assigned /24 (38.94.61.0/24 ) and then create permit all rules from WAN>LAN and LAN>WAN?
Or would I disable firewall and turn pfSense into only a routing platform?
Could it me that simple?
THX,
-J -
@unsichtbarre I'd be tempted to do a 1:1 nat with just part of your /24 if the servers are running apps that are NAT friendly if you can:-
https://docs.netgate.com/pfsense/en/latest/nat/1-1.html#example-ip-address-range-1-1-configuration
38.94.61.1 -> 192.168.1.1
38.94.61.2 -> 192.168.1.2
38.94.61.3 -> 192.168.1.3
etc ... -
@unsichtbarre So the /24 is the LAN subnet? The WAN would be one IP in the /29 and the LAN IP 38.94.61.1/24 or whatever IP you want. Your ISP routes the /24 subnet to your WAN IP, and pfSense will route that to the LAN network. Similar to NAT but without the actual translation. We have this setup in our data center (though with two routers in an HA setup).
If you add a permit all rule from any to LAN then that would effectively disable the firewall and allow all inbound traffic from the Internet. You could also just allow/disallow traffic as desired. (you wrote "WAN>LAN" but that's not necessary as the only thing besides pfSense in the WAN /29 network is the WAN gateway, unless you want that IP to have access to your LAN)
There should be a default allow LAN to any rule.
-
@steveits Great, thanks! Could I just disable firewall in advanced settings?
-
@unsichtbarre Sure, I suppose. That's a separate question than how to set up the interfaces/routing but if you don't want a firewall, go ahead.
-
@steveits thanks, it's not so much that I don't want to firewall, but I would like to create a reliable front end for my /24 with pfSense, and then do stateful packet inspection downstream with other firewalls including pfSense.
-
For whatever it's worth, just saw this in another thread
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html -
@unsichtbarre said in pfSense as front end for /24:
Could I just disable firewall in advanced settings?
You could - but now you just exposed pfsense web gui, ssh etc to whatever can talk to any IP on the box.. Disable the firewall might be an option for some internal use of pfsense as just router. But not something I would suggest for when its routing public IP space.
As mentioned in another thread - just use any any if you want to just route.. There is no advantage to disable the firewall aspects unless its performance related - and if your box can not route your traffic at speed with firewall enabled then it undersized anyway.
Then you can at least filter who can talk to the pfsense gui, etc.
