Public IP's behind pfSense

  • Hi,

    I'm thinking about using pfSense for my firewall.

    I have 2 public subnets routed through a /30 subnet like this:

    • ISP subnet:
    • WAN#1 subnet:
    • WAN#3 subnet:

    3com 4500 Switch
          Servers (with ip addresses in the WAN#1 and WAN#2 subnets)

    The link between pfSense and the switch (LAN interface of pfSense) is a trunk of vlan 1,100,200.

    Interfaces of pfSense:

    WAN -
    LAN -
    VLAN100 on LAN -
    VLAN200 on LAN -

    My guess is, that with outbound NAT disabled, I should have no problems with this setup?

    Is the the "correct" way of setting op a pfSense without the use of NAT?



  • The only thing i see is you shouldnt mix tagged and untagged vlan traffic on the same interface.
    You could add another physical interface or move the LAN to a VLAN.

    kind of
    LAN:   VLAN90 - private subnet
    OPT1: VLAN100 - public subnet #1
    OPT2: VLAN200 - publuc subnet #2

    But other than that: yes it looks valid.
    You might want to leave under advanced outbound NAT a single rule to NAT the LAN subnet to the WAN IP.
    Or if you dont need it just leave the LAN away and have it like this:

    LAN:   VLAN100 - public subnet #1
    OPT1: VLAN200 - public subnet #2

  • Thank you very much for the reply.

    The trunk between the pfSense box and the switch will tag frames on vlan 100 and vlan 200. Vlan 1 remains untagged and I don't plan on using the LAN interface on the internet. Maybe I'll setup VPN so I can manage the pfSense box from anywhere. PPTP seams to be the solution if I just want my mac to connect to it ?



  • Well "LAN" is just a name for an interface.
    Just assing the LAN one of the VLANs and the other VLAN to the OPT1.
    Like this you dont have a private subnet at all since you dont need it.

    Yes for managing it a VPN solution would be good.
    However i'd rather go with OpenVPN than with PPTP.
    (I'm just a fan of OpenVPN ;) )

Log in to reply