PFSense Behind BW320 with Static IPs

pkeogan

I currently want to setup a PFSense Server (running on a R250) behind my BW320 for a homelab.

My IP block looks like
SUBNET MASK: 255.255.255.248
NETWORK BASE ADDRESS: ###.###.###.168
ROUTER: ###.###.###.174
BROADCAST: ###.###.###.175
USABLE RANGE: ###.###.###.169 -> ###.###.###.173

My network map looks like the following (With the desired IPs).

BW320 ➝ PFSense Server
➝ Brocade ICX 6450-48p (###.###.###.169) ➝ Wireless APs + Devices
➝ Web Server (###.###.###.170)
➝ Camera Server (###.###.###.171)

I have two options I understand

Set BW320 into cascade mode -> and allow pfsense to dish out public IPS
Set BW320 into *** Mode and connect the 3 devices I want static IPs directly to the BW320. (IP Passthrough)?

I would like to use my PFSense server to handout the public IPs, but am struggling how to set this up.

I am currently trying to cascade my PFsense into the BW320. (option 2)

Below is my cascade settings into PFSense
alt text

PFSense is set at 192.168.1.69
I was going to attach screenshots of PFsense, but I know its not even remotely setup close. I think I need to add a gateway? then do some NAT Rules to assign the public IPs?

Am I using DHCP as a WAN? or a Static IPv4?

Thanks any help or direction is welcome.

NollipfSense

@pkeogan You're aware that pfSense is a firewall and not a server, right?

pkeogan

@nollipfsense ???

I have PFSense running on a Dell Poweredge R250 (referred to in the first sentence in my original post) Which the product itself is defined as a server. Hence, I referred to the server that is hosting pfsense a pfsense server, which is bleed over from my own network map.

To answer your question, I am aware that PFSense is an application that can run on server equipment? yes, I am aware of that?

stephenw10

If in the cascaded router mode the public subnet is routed to pfSense, which the screenshot seems to imply, then you can just use it directly on a pfSense interface.
You don't need to add a gateway in pfSense. The interface IP will be the gateway for other devices in the subnet. Commonly that would be the first usable IP in the subnet but it doesn't have to be and you're using that for your switch already.

See: https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html

Steve

SteveITS

@pkeogan Is this an AT&T router? It looks like it, at least.

AT&T has an IP Passthrough mode where you can set the AT&T router to pass through to yours. I don't have AT&T anymore but IIRC it is by MAC address. It's set on the firewall tab, see:
https://forums.att.com/conversations/att-internet-equipment/bridgemode-vs-ip-passthrough-setup-information/5defbfffbad5f2f606ad5ed2

When I did it, it was via DHCP from AT&T. In that setup there's no need to mess with subnets or DHCP on the AT&T router. pfSense will just get a public IP via DHCP.

If you have multiple static IPs then I haven't done that myself, but in general one can add IP aliases to pfSense: https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html

NollipfSense

@pkeogan Cool, no problem; it wasn't clear as most folks would say they had pfSense running on R250 server.

stephenw10

@steveits said in PFSense Behind BW320 with Static IPs:

pfSense will just get a public IP via DHCP.

The interesting thing there is that's not what you want for a routed public subnet. If pfSense gets an IP from it on its WAN you have to use port forwards etc. You can't then use directly on an internal interface. The 'cascaded router' option might be better in this case. I've never seen that term before though so hard to say exactly what it does!

Steve

SteveITS

@stephenw10 Yeah thanks for clarifying that, not enough sleep, or coffee yet. I'm so used to doing it via the forwarding or 1:1 NAT.

@pkeogan Why do the devices need public IPs? If handling it via pfSense port forwards then you can control access via firewall rules and/or NAT source.

NollipfSense

@steveits said in PFSense Behind BW320 with Static IPs:

Why do the devices need public IPs?

That's exactly why I asked whether he was aware that pfSense is a firewall and not a server.

pkeogan

@stephenw10

Thank you the direction. The lack of documentation from AT&T on what "cascade router" is lacking to say the least. I will run through the link you sent and see if I can get it setup.

pkeogan

@steveits My planned use for the public IPs are as follows:

Any home network devices
Camera Server
Linux Web Server for Development
Windows Web Server for Development

Prior to obtaining a block of static IPs, I used IP Passthrough on my BW320 (from AT&T) and set the device to the Linux Web Server for Development. Firewall was handled on the Linux Web Server, which only allowed access from a single IP (VPN). The server is accessed by a small team of devs, who have access to this VPN.

Maybe my above goals are not ideal, but It was just a starting point as I learn more about networking, as my primary skills and are software development with light networking experience.

NollipfSense

@pkeogan said in PFSense Behind BW320 with Static IPs:

I would like to use my PFSense server to handout the public IPs,

@pkeogan May I suggest that you take a look at the HaProxy package...