Public IP's behind pfSense



  • Hi,

    I'm thinking about using pfSense for my firewall.

    I have 2 public subnets routed through a /30 subnet like this:

    • ISP subnet: 1.1.1.204/30
    • WAN#1 subnet: 2.2.2.48/28
    • WAN#3 subnet: 3.3.3.0/27

    ISP
              |
          pfSense
              |
    3com 4500 Switch
              |
          Servers (with ip addresses in the WAN#1 and WAN#2 subnets)

    The link between pfSense and the switch (LAN interface of pfSense) is a trunk of vlan 1,100,200.

    Interfaces of pfSense:

    WAN - 1.1.1.206/30
    LAN - 192.168.1.1/24
    VLAN100 on LAN - 2.2.2.49/28
    VLAN200 on LAN - 3.3.3.1/27

    My guess is, that with outbound NAT disabled, I should have no problems with this setup?

    Is the the "correct" way of setting op a pfSense without the use of NAT?

    TIA

    /Jacob



  • The only thing i see is you shouldnt mix tagged and untagged vlan traffic on the same interface.
    You could add another physical interface or move the LAN to a VLAN.

    kind of
    LAN:   VLAN90 - private subnet
    OPT1: VLAN100 - public subnet #1
    OPT2: VLAN200 - publuc subnet #2

    But other than that: yes it looks valid.
    You might want to leave under advanced outbound NAT a single rule to NAT the LAN subnet to the WAN IP.
    Or if you dont need it just leave the LAN away and have it like this:

    LAN:   VLAN100 - public subnet #1
    OPT1: VLAN200 - public subnet #2



  • Thank you very much for the reply.

    The trunk between the pfSense box and the switch will tag frames on vlan 100 and vlan 200. Vlan 1 remains untagged and I don't plan on using the LAN interface on the internet. Maybe I'll setup VPN so I can manage the pfSense box from anywhere. PPTP seams to be the solution if I just want my mac to connect to it ?

    TIA

    /Jacob



  • Well "LAN" is just a name for an interface.
    Just assing the LAN one of the VLANs and the other VLAN to the OPT1.
    Like this you dont have a private subnet at all since you dont need it.

    Yes for managing it a VPN solution would be good.
    However i'd rather go with OpenVPN than with PPTP.
    (I'm just a fan of OpenVPN ;) )


Locked