PFsense as Router for public subnet



  • We want to change our main firewall/router with a pfsense.

    Our current firewall/router is setup with a wan ip from the isp for example 213.167.104.47.
    The lan is our public subnet, for example 213.167.186.1, behind the router we can use 213.167.186.1 to 213.167.186.254.

    In the router we have rules in the “Pass through section” for example

    Incoming: Accept any to 213.167.186.50 with service 80,443 : trafficshaping 20Mbit
    Outgoing: Accept 213.167.186.50 to any with service any : trafficshaping 20Mbit

    What is the best way to be able to do this with a pfsense box?


  • LAYER 8 Global Moderator

    So you have a routed network, ie your 213.167.104.47 is your transit network.  Just create your new segment behind using 213.167.186.0/24 and firewall away.  This segment would not be natted.  On your wan you would just create rules that allow traffic to this segment or hosts in this segment that you want to allow,e tc.

    And sure you could trafficshape that traffic if you wanted too.



  • Thank you, then i was in de correct direction.
    If i am wright i do not have to use lan rules, and outbound nat can be disabled ?


  • LAYER 8 Global Moderator

    well you would have to use "lan" rules on that interface for traffic you want machines on this segment to create..  If no rules on the interface this segment is connected to then they would not be able to even query pfsense for dns, etc.. and would not be able to create any outbound connections they would only be allowed to answer stuff that was allowed into them.

    No you would not want/need to outbound nat since their IPs are public and this public segment is routed to your wan pfsense IP as transit network.



  • @marcvb:

    … i do not have to use lan rules ...

    As johnpoz already mentioned: it depends on what the hosts on your public subnet are supposed to do.
    A mail server surely would need outgoing rules if you want to send mail, some Windows servers would like to contact update servers quite frequently, …



  • @jahonix:

    @marcvb:

    … i do not have to use lan rules ...

    As johnpoz already mentioned: it depends on what the hosts on your public subnet are supposed to do.
    A mail server surely would need outgoing rules if you want to send mail, some Windows servers would like to contact update servers quite frequently, …

    Thank you both i understand it now.
    My virtual demo servers and pfsense are working, installed a speedtest mini within iis and traffic shaping is also working.

    This is much better than our GTA firewall www.gta.com


Log in to reply