Best practices for /29 subnets?



  • Right now the test Linux LAMP servers I've setup for each of the /29 IPs are working fine.

    But I'll like to put pFsense in front of them, I don't trust those server's own build-in firewalls, it is like being naked to the internet, so I'd like to use pFsense to manage the traffic and monitor what goes in/out of those machines.

    Therefore I'm trying to find out what is more efficient or if it's even possible.

    Can I setup One pFsense firewall, to manage the traffic for all the /29 block of IP address?
    or
    Does each of the IP address needs its own pFsense firewall to manage what goes in and out?

    I recall reading people suggest to use the 1 real IP to 1 virtual IP NAT to get this to work. is that correct?

    so, I should do something like:

    123.123.123.001 <–-> 10.10.10.1 Server 1
    123.123.123.002 <---> 10.10.10.2 Server 2
    123.123.123.003 <---> 10.10.10.3 Server 3
    123.123.123.004 <---> 10.10.10.4 Server 4
    123.123.123.005 <---> 10.10.10.5 Server 5
    123.123.123.006 <---> 192.168.1.1 <--> NAT for LAN / WiFi

    then let pFsense do its thing?

    will that setup work?


  • LAYER 8 Global Moderator

    do you have only 1 /29 or multiple /29s?

    Is the /29 routed to you, or you just have some IPs included in the /29 the isp gave you?

    If its just a /29 isp gave you and not routed to you then sure you can use the IPs on pfsense wan, and port forward the traffic you want on each of those IPs to a machine behind pfsense.

    or another option, which not really a fan of but turning pfsense into just transparent bridge firewall and then all your devices have their /29 IP on them but you can still firewall on pfsense.



  • @johnpoz:

    do you have only 1 /29 or multiple /29s?

    only one block of /29
    I use it for testing and learning home lab.

    @johnpoz:

    Is the /29 routed to you, or you just have some IPs included in the /29 the isp gave you?

    i'm believe it's routed to me, as the Static IP of the modem is very different from the /29 subnet IPs that are accessible directly from the internet.

    @johnpoz:

    If its just a /29 isp gave you and not routed to you then sure you can use the IPs on pfsense wan, and port forward the traffic you want on each of those IPs to a machine behind pfsense.

    Sounds like you are suggesting using pFsense for PPOE ?

    @johnpoz:

    or another option, which not really a fan of but turning pfsense into just transparent bridge firewall and then all your devices have their /29 IP on them but you can still firewall on pfsense.

    This sounds too messy, part of the reason why i want to use pFsense, is for a clear cut Firewall, to quickly find and troubleshoot connection or rules issues.


  • LAYER 8 Global Moderator

    You believe its routed?  If it was routed to you you would have a transit network that you use to get to it.

    If its routed to you then just put it your /29 on an interface of pfsense and connect that to your network.  Where pfsense would have 1 of the IPs in the /29 and your machines on that network would have the others..



  • @johnpoz:

    You believe its routed?  If it was routed to you you would have a transit network that you use to get to it.

    If its routed to you then just put it your /29 on an interface of pfsense and connect that to your network.  Where pfsense would have 1 of the IPs in the /29 and your machines on that network would have the others..

    That is already done at the modem level.

    The modem connects to the ISP with PPPOE gets an address of 70.111.111.111 (something like that)
    if I leave it as NAT, i see that address when I do an external IP check,

    but if I disable NAT and manually set my block of /29 then the modem also becomes a Gateway when I change the configuration to use 196.111.111.41 /29  (255.255.255.248) and the DHCP will automatically assign the remaining IP from .42 to .46 to my test machines I've setup,
    on each machine if I do an external IP check it will return the proper address of the /29, and not the modem's IP.

    This is why I was a bit troubled trying to figure out where can PfSense fit in, to have each of the IPs behind Pfsense.

    Originally I had Pfsense setup as the Gateway, sort of what you described, with Pfsense doing the PPPoE and the modem was in Bridge mode, but that's not quite what I was trying to accomplish.

    That's why I reverted it to have the modem doing the gateway task, and have Pfsense as a straight firewall layer.

    So, I guess for this to work as the way I'm trying to get it to work, I'll probably have to end up setting up a Pfsense server for each of the IPs .42 to .46 and then have the web servers behind each of the Pfsense machines, something like:

    internet <–-> modem 70.111.111.111 PPPOE / gateway 196.111.111.41 <---> DHCP <--->  Pfsense 196.111.111.42 <---> Web Server
                                                                                                                                                    Pfsense 196.111.111.43 <---> Web Server
                                                                                                                                                    Pfsense 196.111.111.44 <---> Web Server
                                                                                                                                                    Pfsense 196.111.111.45 <---> Web Server
                                                                                                                                                    Pfsense 196.111.111.46 <---> LAN



  • I know this other method should probably work as well

    internet <–-> modem (bridged) <---> Pfsense 70.111.111.111 PPPOE / gateway 196.111.111.41 <---> DHCP <---> 196.111.111.42 <---> Server
                                                                                                                                                                                          196.111.111.43 <---> Server
                                                                                                                                                                                          196.111.111.44 <---> Server
                                                                                                                                                                                          196.111.111.45 <---> Server
                                                                                                                                                                                          196.111.111.46 <---> LAN

    but when trying to manage the rules table becomes it becomes quite messy, specially when you start to add forwarding and load balancing rules, and the rules for the LAN traffic, etc...

    that is pretty much why I decided to revert back, to a more simplistic 1:1 setup, to make redirection rules easier to manage, and to have everything at plain sight, not having to worry about accidentally messing up the rules for the Other machine, or mixing up the forwarding rules for the LAN, or scrolling through pages and pages of rules that are similar which are required for load balancing (2 WAN), and multiply that by 6 or more IPs, it becomes like a Book of rules to manage :P


Log in to reply