PfSense as a firewall with routables IP behind it

  • I was wondering if it was possible to use pfSense as a gateway firewall having behind it routable IP, let's say for example a whole routable C class and if there was anything special to do to obtain this result ? If it is possible, would I be able to monitor the in/out traffic for each IP, to be abke to see how much instant, daily and m onthly bandwidth each IP uses ?

    It would be great to use pfSense as a gateway in a datacenter for example ;)

    [GW IP]–-[pfSense]–---[Routable IP 1]
                                    |–-[Routable IP 2]

  • Bridging would work for this.  pfSense supports this now.

  • Thanks.
    I could not find specific documentation about bridging with pfSense, could you tell me if there is somewhere please ?

    Hopefully I could analize bandwidth and close/open ports on the network wih pfSense.

    I would use a Pentium 4 @ 2GHz with 1GB RAM for that purpose, with a 100Mbits internet connection and 2 entire C classes routables IPs behind pfSense.

    I'd like to set it up with software RAID 1, but I absoutely don't know how to do that with FreeBSD, but I guess it can be done during the installation, as for Debian systems which I know better (pfSense would replace a Debian gateway with home-built web firewalling configuration + MRTG.

    Do you think it would well fullfill that purpose ? I used to thnik about using IPcop for that but it really isn't fit for something like that.

    Edit : Ok found that to work on :

  • There have been some discussions about setting up software RAID under pfSense.  Software RAID isn't officially supported on pfSense, although if you're willing to do a little work, it works fine.  Check out the mailing list for a discussion of how to get software RAID working on pfSense.

  • Ok sounds good.

    I wonder if I could setup pfSense with 2*100Mbps lines meaning double WAN, with routables IP using either one or the other transparently, making theme able of a traffic of 200Mbps.

  • The bridge supports spanning tree protocol so it most likely will disable one of the links. Maybe pfSense 1.1 will support adapterteaming but that's pure speculation atm and the loadbalancer only works when routing/natting and it would only work for connections that are opened from behind your pfSense. You can't influence incoming connections at your wans with that.

  • Ok, thanks.

    I'll try a temporary configuration with an unused routable C class to test all this before using it for real. Maybe when I'll be ready for that, the 1.0 final will be out  ;D

Log in to reply