2x Routing on 1 pfSense?

filnko · Oct 1, 2011, 9:09 PM

Hey there!

We are currently using a setup with Vyatta and IPCop and are evaluating switching to pfsense.

A short summary:
16 public IPs
Our IP in the provider subnet: 213...9/24
Our own subnet: 212...16/28
Our private network: 10...1/24

Vyatta currently routes between the provider subnet and our /28 subnet.
IPCop then routes between the /28 subnet and our private /24.

Is it possible to use one pfSense instead of these two appliances?
Which embedded or Atom hardware would you recommend for a 100/10 connection and a bit of VPN?

(I am already using some pfSense Firewalls and really happy with them)

Thanks in advance, Christoph

marcelloc · Oct 1, 2011, 9:35 PM

If these ips are static, it's possible.

100 mbit needs a gigabit interface card.

I suggest a quad core CPU with 4gb RAM and x64 version.

It's not the minimum setup, just one that I use in a 100mbit link.

filnko · Oct 2, 2011, 1:29 PM

Thanks for your answer!
Yes, all IPs are static (only pfSense as DHCP-server on the private subnet).

Do you know how to configure this setup?
I have no clue where I can do this…

hec · Oct 2, 2011, 2:56 PM

The question is what you want to do with your /28 network.
I use the pfsense with 2 /29 and one /28 public network and 4 /24 internal networks.
Do you have all public subnets on one interface?
I do a 1:1 nat with all public ips. This works great and i need only mange the pfsense and not a firewall on every host.
You need to create the 1:1 nat rules and insert the ips at the aliases. The last thing what you have to do is to create the firewall rules.
Thats it.

filnko · Oct 2, 2011, 7:20 PM

I think there is a misunderstanding.
The networks are one after the other.

Attached there is a network diagram showing the situation (sorry for my bad Visio skills).
We want to replace Vyatta and IPCop with a single pfSense.

dhatz · Oct 2, 2011, 7:52 PM

Based on your diagram, pfsense can most probably do what you need. You'll need to learn about using VIPs.

(note: since you mention "a bit of VPN" but don't give any details, make sure you check the wiki to understand the current limitations of pfsense, such as inability to NAT before IPsec and lack of a PPTP-proxy)

filnko · Oct 2, 2011, 8:29 PM

We are already using VIPs, so that shouldn't be a big problem.
I know how to configure pfSense as a replacement for the second router (IPCop) but where do I configure the first router when running everything on the same system?
As there is no NAT, only routing, there is no reason why VPN wouldn't work (we are using PPTP and L2TP).

marcelloc · Oct 2, 2011, 9:07 PM

Configure wan for provieres /24, opt1 for your /28 ips and lan for your internal network.

You may need to disable bogus network option on all interfaces to use this setup.

filnko · Nov 10, 2011, 4:20 PM

Ok, thanks for your answers.
Now that I now what I have to take care of I read the appropriate chapter in the book (page 118 should be what we want).

We are now also evaluating the use of CARP.
When using CARP, is there any possibility to only have one address in the providers /24 network?
Sadly it's not possible to get two extra addresses in this range.

podilarius · Nov 11, 2011, 12:32 AM

Far as I know you must have 3. One for each physical nic and one cluster that is "shared".