How to set up pfSense like this (routing question)
-
I currently have a Windows Server 2003 box running ISA 2005, but would like to migrate over to pfSense for a bunch of reasons. The most pressing one is that apparently ISA and VoIP aren't great mates, so my phone is rubbish.
Anyway, my set up is this:
-
My external IP is xxx.89.80.82
-
I have a second subnet - xxx.89.81.104/28 - this acts as my DMZ and is externally accessible on allowed ports (80, 22, etc).
-
An internal range of 192.168.12.0/24, NATed as per normal.
The DMZ is routed through the above external IP. All I've done with ISA is click the "route" button and it just works. I've had a quick look at pfSense but can't see a button as simple as that! So what should I do to get this routing?
I'd also like a second internal network (say, 192.168.11.0/24) solely for my VoIP phone - I figure there's no disadvantage in doing this, but could possibly improved call quality if there's high network traffic. I'm not particularly set on this though so it's not a deal breaker - just need that subnet routed so it's accessible from the Internet and LAN.
-
-
Your DMZ systems should set the pfSense DMZ IP address as the default gateway. (If these systems get an IP address through DHCP you can usually configure DHCP to set this up automatically through DHCP.)
You should also create a pfSense firewall rule to allow access to the internet from DMZ. (The default will block this.)
-
Your DMZ systems should set the pfSense DMZ IP address as the default gateway. (If these systems get an IP address through DHCP you can usually configure DHCP to set this up automatically through DHCP.)
You should also create a pfSense firewall rule to allow access to the internet from DMZ. (The default will block this.)
I'm not sure if that's correct - that would be if I wanted to NAT. I want to route - the handful of IPs on the xxx.89.81.104/28 subnet should be directly accessible from the Internet, and vice versa. They currently route through the ISA box, and am hoping pfSense can do the same.
-
I believe you can set the DMZ interface address to xxx.89.81.105 ( you sure it's a /28?, a /28 does not match a range starting with .104 but a /29 starting with .104 is fine) and use the rest of the usable addresses for hosts on the DMZ net. Be sure you turn off outbound NAT for the DMZ, Firewall->Nat->outbound and turn on advanced outbound nat, leave the autogenerated rule for LAN in place so traffic originating from LAN gets natted. You'll also need to add firewall rules on the DMZ interface to allow outbound traffic from the DMZ.
(All this assuming the xx.89.81.149/28 (29?) is directly routed to the WAN address of the router, otherwise it makes no sense).
-
Sounds like that's what I want kpa - you're probably right about it being a /29 too, was just before hometime yesterday so I did it quickly instead of checking it out properly!
Will give it a shot later on when I have a minute spare.