Unique Situation
-
Thank you all for your time, I have a bit of a challenge and I thought I would reach out to the community for some suggestions. I will include a map of my situation, but here it goes.
My ISP provides me with 2 IP blocks for sake of security are:
Block 1 – 208.138.170.208/29
Block 2 -- 208.198.243.0/24The current hardware configuration is as follows:
ISP -> Cisco Catalyst 3550 Switch (Block 1) <- rip -> newly placed pfSense Firewall (Block 2)
Detail about this setup:
-
Cisco Catalyst 3550 Switch with Block 1 addresses
-
IP Routing Enabled and Forwarding IP is set to 208.138.170.209
-
-
RIP enabled and to 208.198.243.0
-
RIP incoming: both versions
-
RIP outgoing: RIP v1
-
-
208.198.243.0 is routed to pfSense
-
NAT for 208.198.243.0 to DMZ and DMZ2
-
-
a description of the pfSense hardware would be useful as would an idea of how the 3550 is configured. (Your image, btw, is HUGE, I can't view much more than a few characters of it at a time)
I think you should be able to replace the switch with the pfSense box and get rid of the internal RIP (is that from your ISP?).
-
Your image, btw, is HUGE
No Lie! :o
 -
you probably have a static wan address that has 2 blocks routed to it ?
why have 2 routers at all?you could just add both the /29 & the /24 on the same device ….. why add the complexity of forwarding one block to a secondary router ?
-
@chpalmer, thank you for resizing that for me, I did not realize the image was that large!
@heper, from what my ISP told me, they provide access through the /29 and sold us a /24 block, all traffic goes through /29 and the Cisco switch that my predecessor put in was to forward all traffic from the /29 to the /24. So my true gateway would be 208.138.170.209, and the /24 has all my web and email services on that network.
@spoggle the pfsense hardware is the equivalent to Netgate's XG-1541 1U with an additional 4 port gig nic. 1 nic is WAN for /24 network, and the other nics are subnetted for the various networks I have. DMZ & DMZ2 have a 1:1 NAT to the /24 addresses.
-
So your /24 is routed through the 29.. To which IP in the 29 or you have to provide routing protocol to them to tell them what IP to hit in the /29 to get to the /24?
-
@johnpoz with the current setup that was put in place,
My Cisco Switch has IP routing turned on and 208.138.170.209 (/29) is the default route forwarding IP and its destination is the /24 through RIP
-
so basically you could just setup pfsense with wan 208.138.170.209 (/29) & just put the /24 as VIPs (with NAT) or use the /24 on 1 or more interfaces (without NAT)
-
Yeah really not seeing the point of the 2 routers here.
-
I would like to thank you all for your advice and it was great advice.
I was able to achieve my goal and remove the Cisco switch. @heper's suggestion, I put the /29 network as the WAN address and since I already had the /24 as VIPs, everything worked like a charm. Thank you for guiding me! Tomorrow morning, I am heading to my satellite office and putting in another pfsense box with a ipsec site to site vpn. I can now have uniformity between my 2 offices (already got that working in my test lab! :) ).
Thank you all for your help!
