NAT and DMZ with an IP subnet
-
Hi
We are trying to migrate from our Ubuntu-12.04-based firewall/gateway to a pfSense based one. We have basically the setup shown in the attachment.
I anonymised the IP addresses, so only the last digits are correct.
Our ISP has a gateway to the internet, the IP is 1.2.3.62. We can use the IP subnet 1.2.3.0/27 (1.2.3.0-1.2.3.31). These are public IPs.
At the moment we connect to the ISP on the first network interface and don't set an IP on this interface, just the default gateway (1.2.3.62). On the second interface we have a LAN with private IP addresses, so our gateway/router has the IP 192.168.0.1 on this interface and offers IP addresses via DHCP to all connected clients and NATs the connections.
On the third interface the gateway is connected to a DMZ, where about two dozens of servers are connected. They all have public IPs from the 1.2.3.0/27 range. The gateway itself also has three public IPs from this range on this port. It uses proxy-arp.We now want to migrate to pfSense using a similar setup. No 1:1 NAT, because I don't have access to all servers and they are using the public IPs.
I have tried to configure the same, so no IP address on the WAN-interface (just a default gateway) and NATing over one of the three public IP adresses on the DMZ interface. But this seems to be not possible with pfSense/OpenBSD… But I can't set public IP addresses to the WAN interface, because pfSense complains, that this interferes with the Proxy-ARP setting (1.2.3.0/27) for the DMZ interface. I also can't split the network into two /28 networks.
Do you have an idea how to get this setup running?
-
The proper way to do it is to get your ISP to give you a /30 for your WAN and ROUTE the /27 to your WAN address there. You would then just assign the /27 to an inside interface, put your servers there, and be done.
To do what you want you will need to bridge two interfaces and place your servers on one bridge member and your WAN on another.
https://doc.pfsense.org/index.php/Interface_Bridges
-
Your current set up uses a Linux specific hack that is not supported on FreeBSD and therefor not on pfSense either.