Inbound policy routing



  • Hi all,

    I've been using pfsense for a couple of years now and I'm in the proces of converting the second-last firewall to pfsense. And finally I've come to a grinding hold and I'm not sure how to fix the issue i'm facing right now. For the sake of privacy I've changed the ip adresses below.

    A client of mine is currently using an aging zywall 1050 and it's a no-brainer this appliance should be replaced, so I offered pfsense. This client has a strange network. On the outside there are 2 ip ranges, a /32 and a totally different /29. The /29 is being broadcast to the /32. So in number it's something like : 10.0.0.1-10.0.0.8 are being broadcast to 192.168.0.1. On the inside there are a couple of vlans.

    Now in the zywall there is some policy based routing going on like 10.0.0.1:x being routed to 172.16.1.1 and 10.0.0.2:12 being routed to 172.16.2.1 while 10.0.0.2:34 is being routed to 172.16.2.2
    To make matters worst there is also some nat going on. Luckily this in only on the 192.168.0.1 ip

    I've been looking around in pfsense and nowhere I can find a clue how to set this up to perform a quick replacement without messing up the entire network. This customer has around 50 servers and over 1000 workstations. Internet traffic is quite low, but ip ranges are flying all over the place in different subnets and different vlans.

    In the example above 172.16.1.1 will be in vlan 1, 172.16.2.1 in vlan2 and guess where 172.16.37.1 will be??

    Main questing here is :
    How do I perform inbound policy routing without performing any form of nat for the 10.0.0.1/29 range and on the same time perform nat on the 192.168.0.1/32 ip

    Oh yeah… before I forget, there's even a public IP on a vlan interface behind a natted interface in the zywall... (10.0.0.7 alias on vlan 26with ip 172.16.26.7)

    Any help in the proper direction will be highly appreciated, current installed version : 2.3.3-RELEASE.


  • Rebel Alliance Global Moderator

    "a /32 and a totally different /29. The /29 is being broadcast to the /32. "

    Huh..  So your saying this /29 is routed via a transit that is using a /32 address?  Are those public IPs that you changed to be rfc1918 to hide?

    A /29 only gives you 6 IPs to work work with.. So not sure how you come up with 10.0.0.1-8 - that is more than a /29 right there..



  • I changed the ip's on purpose. I know the /29 give 6 to work with, the .1 being the network and .8 being the broadcast, 6 left for performing duty

    The /32 is 80.100.x.96
    The /29 is 80.127.x.96

    So when my client was to host a website on 80.127.x.97 then traffic will be routed through 80.100.x.96

    Problem here is that the client currently is performing nat on the /32 and performing routing on the /29. And not just standard routing, but depending on the port number it can route to different servers.


  • Rebel Alliance Global Moderator

    " but depending on the port number it can route to different servers."

    that sounds like simple port forwarding to me with your /29 just being vips on the wan.

    no .1 would not be the network in your example .0 is the network and .7 would be broadcast..

    In your case with .96/29 that would be the wire or network .97 would be the first host address and .103 would be the broadcast leaving you .97 to .102 to use as host address.  Then sure something going to .97:xyz could be forwarded to 192.168.0.10 or anything behind the router.  While .97:abc could go to 192.168.1.100 on a completely different network behind the router.



  • Uhm, but forwarding comes at the bonus of NAT right? And that's something we don't want to have here. The target ip's can be load balancers. And there is also a sip pbx involved that doesn't like nat.

    So are you sure that the port forward under the menu : firewall-nat is not going to mess up anything?

    We've tried to rebuild the current setup in a small way and found that nat will surely kill the pbx. Wel…. not kill the pbx, but voip traffic comes to a grinding halt in like 1 second.

    So for the /29 range there can be no NAT at all.


  • Rebel Alliance Global Moderator

    how are you not doing nat.. When you say you have
    "This customer has around 50 servers and over 1000 workstations. "

    And only a /29 to work with???

    edit:  You can have public IPs behind that are also routed - do you have more than this /29 to work with that is public.  If so then it would just be firewall rules to allow port xyz into the box behind the firewall.

    edit:  So for example see attached.

    You have this 80.x.x.x public network as vips on your wan.  from those you nat and do port forwarding..  If you have another public segment that is routed to you then you can just put that behind pfsense and then just firewall what you want to allow into that network on whatever ports to whatever IPs in this public segment, the 24.13.0/28 in my example drawing.

    You could then port forward IPs out of the 80 that is sitting on your wan interface to different devices and networks behind pfsense.  Ie the 192.168.0 and .1 networks in my example




  • Hi, I've studied your stencil but I don't think it's anything close to what I need.

    Did you notice the 80.100.x.96 and 80.127.x.96? The network with 127 is the /29 and is being broadcast to the 100.

    On some public ip's there is inbound policy routing, on other public ip's there is nat on yet other public ip's there's both nat and policy routing.

    I've created a visio stencil but I'm unable to attach it to this post, so let me try to write it out.

    the firewall has a prio 1 rule that states to forward all packets to host 10.1.10.60 on vlan 10 when the original destination port is 5060 or between 10001 and 20000. Host 10.10.60 is a loadbalancer that allows packets destined for other ip's to come in. This loadbalancer forwards the pakcets to either 10.1.10.51 or 10.1.10.52 At this point we've reached either one of the pbx's and still no nat has been applied. Both the pbx's only accept packets destined for 80.127.x.98 When either one of the pbx's send data back to the original sender it sends a packet with the source ip 80.127.x.98 directly back to the firewall and not through the loadbalancer. Now the firewall sees a sources ip 80.127.x.98 coming from vlan 10 instead of from the wan and now it routes the packet to the outside world. The magic of the internet will take of the rest.

    Now there is a computer, sip phone or whatever connected to vlan 10. An example device has ip 10.1.10.101 and tries to talk to the outside world. The firewall sees a source ip 10.1.10.101 coming in from vlan and performs outbound nat so the source ip will become 80.127.x.98 when some device somewhere around the globe replies to this packet it is going to send data back to 80.127.x.98, the firewall sees the packet is not destined for 5060 or between the range 10001 and 20000 so it performs nat and sends the packet to 10.1.10.101

    So 80.127.x.98 needs to forward packets on one occasion and needs to nat packets on the other occasion.

    This vlan10 story is one of the easiest. On vlan 18 there is a lot more crazy stuff going on and I've created a visio stencil for this. But I just don't get it how to upload an image here so I can show it.

    The zyxel device this client currently has can do this without any problem. I've got to admit I think it's a really strange setup, but that's an entire different story. Point being, it's working right now and client is willing to switch to pfsense since it saves a lot of money over a new zyxel device.


  • Rebel Alliance Global Moderator

    dude 80.100 is not a network its /32 or a host address..  As you stated.  It could be used as a transit - or sure you could nat to it..  WTF is broadcasted - that term does not apply to routing or natting..

    What networks do you have to work with other than that /29.. If all you have is 6 public IP address than you have to be natting!!!  if you have 50 some servers and 1000 workstations.

    All your other addresses you mention are rfc1918 - ie they don't work on the internet.  To talk on the internet it has to be natted to a public IP.. like your 80.100..  10.x.x.x, 192.168, 172.16-31 are rfc1918 and do not work on the internet.

    As to not being able to attach a visio - prob not, take a screenshot of your drawing like I did.  What I was attempting to show is you can have natted networks along with public networks behind pfsense.  Where the public is not natted to anything..  If you want help - post up your config from your router your trying to change to pfsense.  There is clearly a disconnect here on what is going on.



  • Problem here is that I do not just need public IP's behind the firewall.

    For ip 1.2.3.4 there needs to be forwarding based on port 1, but there needs to be natting based on port 2

    So just forwarding all packet destined for ip 1.2.3.4 is not going to work because I´m missing out on nat then for this very same ip.

    PS: Tried to take a screenshot, but even this cannot be pasted into a reply.