Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cisco Ip route & public IPs on LAN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      Amora
      last edited by

      I've been googling for some time now and the hits I keep getting are for traditional NAT with multiple VIPs doing 1:1 NAT to private IPs.

      My scenario, is a bit different here

      Background:
      We take a single public /30, and route another set of public IPs to it, and set those public IPs on the LAN side. We utilize Centos iptables to handle filtering and routing.

      Because the lower level staff incessantly have trouble with the command line arguments in linux we were looking into solutions that have a web GUI interface…hence why I'm here.

      In anycase, as said before we take a public /30 block, then route another set of public to it. The /30 is assigned to the wan ip of the firewall and the second set of IPs are placed on the LAN. So visually it looks like this:

      ISP-->209.2.2.1(Cisco gateway)-->209.2.2.2/30(firewall wan)--> \ 209.2.10.1/28(LAN gateway)
                                                                                                              |-- \ 209.2.10.2/28(LAN)
                                                                                                              |-- \ 209.2.10.3/28(LAN)

      Any traffic destined for the 209.2.10.x/28 ip space is routed to the wan interface of the firewall at 209.2.2.x/30, from there, the firewall will filter that traffic, then directly forward it to the LAN side where servers are configured with the 209.2.10.x ip space. One of the LAN interfaces on the firewall is configured as a gateway for the ip routed subnet(209.2.10.x/28)

      Does this setup sound familiar to anyone? And can someone point me to documentation for this configuration in pfsense sense? There is not NAT in this scenario it's straight packet forwarding. This way, the servers behind the firewall can be configured with public ip space and still gain benefits of having a firewall protecting them...and eliminates the use of NAT.

      For CentOs the setup is easy

      • assign the firewall a single public ip
      • route a second, larger set of public IPs to the firewalls ip
      • set centos up for packet forwarding
      • assign one of the second set of public IPs as the LAN gateway
      • attached a layer 2 switch to that LAN gateway interface
      • configure servers with the second public ip set and make them use the LAN gateway.
      1 Reply Last reply Reply Quote 0
      • pttP Offline
        ptt Rebel Alliance
        last edited by

        Start here  ;)

        https://doc.pfsense.org/index.php/Main_Page

        https://doc.pfsense.org/index.php/How_can_I_completely_disable_NAT%3F#Disable_NAT

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.