Public IP's behind pfSense
-
Hi,
I'm thinking about using pfSense for my firewall.
I have 2 public subnets routed through a /30 subnet like this:
- ISP subnet: 1.1.1.204/30
- WAN#1 subnet: 2.2.2.48/28
- WAN#3 subnet: 3.3.3.0/27
ISP
|
pfSense
|
3com 4500 Switch
|
Servers (with ip addresses in the WAN#1 and WAN#2 subnets)The link between pfSense and the switch (LAN interface of pfSense) is a trunk of vlan 1,100,200.
Interfaces of pfSense:
WAN - 1.1.1.206/30
LAN - 192.168.1.1/24
VLAN100 on LAN - 2.2.2.49/28
VLAN200 on LAN - 3.3.3.1/27My guess is, that with outbound NAT disabled, I should have no problems with this setup?
Is the the "correct" way of setting op a pfSense without the use of NAT?
TIA
/Jacob
-
The only thing i see is you shouldnt mix tagged and untagged vlan traffic on the same interface.
You could add another physical interface or move the LAN to a VLAN.kind of
LAN: VLAN90 - private subnet
OPT1: VLAN100 - public subnet #1
OPT2: VLAN200 - publuc subnet #2But other than that: yes it looks valid.
You might want to leave under advanced outbound NAT a single rule to NAT the LAN subnet to the WAN IP.
Or if you dont need it just leave the LAN away and have it like this:LAN: VLAN100 - public subnet #1
OPT1: VLAN200 - public subnet #2 -
Thank you very much for the reply.
The trunk between the pfSense box and the switch will tag frames on vlan 100 and vlan 200. Vlan 1 remains untagged and I don't plan on using the LAN interface on the internet. Maybe I'll setup VPN so I can manage the pfSense box from anywhere. PPTP seams to be the solution if I just want my mac to connect to it ?
TIA
/Jacob
-
Well "LAN" is just a name for an interface.
Just assing the LAN one of the VLANs and the other VLAN to the OPT1.
Like this you dont have a private subnet at all since you dont need it.Yes for managing it a VPN solution would be good.
However i'd rather go with OpenVPN than with PPTP.
(I'm just a fan of OpenVPN ;) )