DMZ/Public IP with NAT behind Pfsense

gsx00

I have a single WAN connection with an IP block assigned to me. This is for a multi-tenant office building with shared internet that I am managing.

Previously, I have set up LAN NAT where one WAN IP used for general internet access, and 1:1 NATs to local addresses with PARP VIPs for users who need a dedicated public IP. I am also using pfSense for bandwidth limiting.

One of our users is requesting to use a public WAN IP directly on his host, rather than a local IP that is 1:1 NATed to a WAN IP. (They are actually requesting a subnet block of IPs, if that makes a difference)

Is this possible to set up while keeping the other NATs in place?

The normal way I can think of to do this would be to connect that host directly to the ISP with a switch such as in standard DMZ set up, but then it would no longer be behind pfSense and I would have no control over the bandwidth usage.

ISP
      /     
pfSense    Public IP Host
    |
NAT

The other way I can think of is to set up two pfSense boxes: a top level one acting as a transparent firewall/bridge that only handles traffic shaping and limiting, and a second one below for NAT purposes. I'd prefer to use a single pfSense host, as I don't have any extra hardware on hand.

ISP
  |
pfSense (Traffic Shaper)
  |         
pfSense    Public IP Host
  |
NAT

I've tried searching for a solution but I'm not quite exactly sure where to look so I haven't been very successful.

Any advice would be greatly appreciated!

Derelict

What size netblock are you dealing with and what size netblock are they requesting?

Is the netblock routed to your interface address or is it your WAN subnet?

gsx00

We have a /26 from the ISP (WAN subnet), and they need 5 IPs. I was going to give them a /29 if a subnet was required, or if not then just assign them 5 addresses out of the /26 if they could be routed directly.

The LAN interface is currently NATed to private addresses 10.32.xx.xx.

Derelict

Is your WAN interface assigned an IP out of the /26 or is it something else (like a /30) with the /26 routed to it?

Do you have a group of 8 contiguous unassigned addresses in the /26 that start on a /29 subnet boundary that could be assigned to another interface?

gsx00

My WAN IP is one of the /26 addresses.

I do have a contiguous 8 addresses available, but no more Ethernet interfaces available. I could add that without much trouble.

Derelict

Yeah except it's kind of hard to break up the /26 if it's the netmask of your WAN.

If you were to create another network (VLAN or a new interface) and bridge it with WAN you might be able to set up shaping and limiters on the bridge member.

Not sure.  Never done it.

If they were to assign you a /30 and route the /26 to you you could just make a "LAN" interface with pass any firewall rules and no NAT and give it a /29 and say "here you go."

gsx00

I will try bridging a local interface to the WAN interface, assign them the WAN IP addresses, and see what options I have from there.

Thanks for your time!

Derelict

just know that if they mess up their addressing they can hose you.