Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense in front of two VLANs, one public, one private

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 917 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mmccurdy
      last edited by

      (I'm posting this in the "NAT" forum, though I'm not entirely sure that's appropriate…  absolutely no offense taken if mods want to move this)

      We have a cabinet in a datacenter where we have a /27 IP allocation and several boxes that need to be accessible via their currently-assigned public IP.  We also have a handful of boxes that do not necessarily need public IP's.  For various reasons I'm trying to move everything behind our newly-installed pfSense box.

      So far, I've successfully set up a VLAN that I'm happy with for the private IP's, with access to each other, the internet, etc.

      However, I'm struggling with providing "pass-through" (plus pfSense firewall filtering goodness) access to the block of public machines.  I've tried various combinations of IP aliases, 1:1 NAT mapping, etc. but I could never get to the point where I could access the internet (or even ping the gateway) from a machine with a statically-assigned public IP behind the pfSense box.

      There's an awful lot of apparently old/outdated info out there from my various forum/Google searches...  can someone let me know what my approach should be here?

      I'm looking for the "right" solution, so if that means picking up another box or sprouting another physical interface, please do let me know that as well!

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Can the datacenter provider assign a /30 for your WAN interface and route the /27 to it?  That'd be a lot cleaner.

        Otherwise: from the pfSense book (I hope it's okay to cut and paste small excerpts):

        Single IP subnet
        With a single public IP subnet, one of the public IPs will be on the upstream router, commonly belonging to your ISP, with one of the IPs assigned as the WAN IP on pfSense. The remaining IPs can be used with either NAT, bridging or a combination of the two. To use them with NAT, add Proxy ARP, IP alias or CARP Virtual IPs. To assign public IPs directly to hosts behind your firewall, you will need a dedicated interface for those hosts that is bridged to WAN. When used with bridging, the hosts with the public IPs directly assigned must use the same default gateway as the WAN of the firewall, the upstream ISP router. This will create difficulties if the hosts with public IPs need to initiate connections to hosts behind other interfaces of your firewall, since the ISP gateway will not route traffic for your internal subnets back to your firewall.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.