Suggestions for my configuration
-
Hello, I'm new here so please excuse me if I ask something stupid :)
I have a new broadband connection with a /28 [13 usable static IPs]. What I'd like to do is use a single pfSense box with three interfaces: WAN, Public DMZ LAN, Private LAN. The private LAN would just use the typical 10.0.0.x space. The public DMZ LAN would have my public services (mainly web & email), and I'd prefer if the servers in this group were each directly assigned public IP addresses. I'd like to be able to transparently firewall these IPs as well. The private LAN interface would take one of the IPs & just do typical dynamic NAT'ing on it for the private network clients.
Nothing major, pretty basic configuration. However, I'm a pfSense newbie (just use it currently to dynamically NAT my home network). One person has told me that I can't do transparent firewall/bridging & NAT'ing on the same pfSense box. Another person has told me it's possible, & mentioned something about using an optional interface or something. If it's not possible, I don't necessarily mind combining all of the boxes onto a single switch & just setting up a 1:1 static NAT for my public facing servers (while the rest use the dynamic NAT).
I'd like to know if this is possible so that I don't waste my time later trying to set it up (only to have to tear it back down & redo the topology). Thanks in advance for any suggestions/input! :)
-
You'll need three interfaces. WAN, LAN and OPT1.
Setup WAN with one of the addresses of that /28 address block and LAN with the address of your choise.
Set up the OPT1 interface so that it's bridged with WAN (interfaces->OPT1, brigde with -option) and turn on the filtering bridge in the advanced options. That way you can use public addresses on the machines on the OPT1-net and you can control access to them by firewall rules. Note that the machines on the bridged to WAN OPT1-net should use the gateway address of that /28 address block as their default gateway. Also you can not use pfSense as dhcp server on the briged to WAN interface.
Hope this helps.
-
Hey man, thanks for the reply! :) What you said makes sense, however I've decided to just keep everything on my private LAN & go with the 1:1 NAT option. This will make management easier for me & it'll eliminate the need for a couple of boxes on the network.
I guess my only question now is how I would go about setting up one of the static IPs for use in Dynamic NAT for client machines on the network, while using the rest of the static IPs for 1:1 NAT.
-
Nothing special is needed for that kind of setup, you use one of the public ip-addresses for the WAN-interface and that address will be the address everything coming from LAN is natted to by default. For other addresses you setup 1:1 nat with virtual IP.