Routing / firewalling two class c's
-
Tried searching but not even sure what to search on…
In previous setups I've had a small subnet, like a /30, that is assigned to the outside interface. Traffic for that and any other networks are sent on that port. I can then setup OPT interfaces with those subnets and everything works great. In this case I only have two class c's. Here's how they are setup:
network 1:
5.5.5.0/24
gateway 5.5.5.1network 2:
5.5.6.0/24
gateway 5.5.6.1Both come in on a single cable but have dual gateways like that. Meaning I could plug that into a hub, connect servers to it, give it the .1 gateway and it will work. Obviously I don't want to put everything on the internet without a firewall. I want the NAT'd external ip to 5.5.5.2 and all other ips have to go through pfsense. I can have them dump the dual network like this and instead have them route traffic from both subnets to 5.5.5.0/24 (and then I'm assuming pfsense will advertise that it handles the whole 5.5.6.0/24 network so the gateway will know where to route it, unfortunately never learned about BGP routing and such). Here's the ideal setup:
outside - directly connected to cable going to isp's switch
ip: 5.5.5.2/24
gw: 5.5.5.1opt1 - connects to our "external" switch
ip: 5.5.5.3/24
gw: blank (so it should forward to 5.5.5.1 above)opt2 - connects to our "external switch
ip: 5.5.6.2/24
gw: blank (so that also forwards to 5.5.5.1)inside has inside settings
i'd then have the ISP forward both subnets to 5.5.5.0/24 network. Both outside and opt1 having the same subnet mask seems like it would clash. Or would pfsense know if it sees something like 5.5.5.10 coming in on outside and it knows that server exists on opt1 to accept the traffic and pass it along?
-
Anyone have advice yet? Here's the current setup:
WAN:
5.5.5.2/24
gw: 5.5.5.1OPT1:
bridge with WANOPT2:
5.5.6.2/24
gw: 5.5.5.1Other ip's in 5.5.5.0/24 network don't work reliably. If I restart the firewall I can ping 5.5.5.2. As soon as I restart the server it breaks again although I don't see any traffic being blocked on firewall. Which leads me to believe something gets messed up in the firewall's routing tables or something and it gets reset when I restart the firewall. the 5.5.6.0/24 network works fine.
It has to be a common configuration where you have a large block of IPs and you want the first ip to be the firewall and the rest to be filtered through the firewall. The only sollution I can think of now is to have ISP give me another /30 ip so I have a different external ip from the two class c's but there has to be a way to get it to work.