Unique Situation

esi.curban

Thank you all for your time, I have a bit of a challenge and I thought I would reach out to the community for some suggestions.  I will include a map of my situation, but here it goes.

My ISP provides me with 2 IP blocks for sake of security are:

Block 1 – 208.138.170.208/29
Block 2 -- 208.198.243.0/24

The current hardware configuration is as follows:

ISP -> Cisco Catalyst 3550 Switch (Block 1) <- rip -> newly placed pfSense Firewall (Block 2)

Detail about this setup:

• Cisco Catalyst 3550 Switch with Block 1 addresses

• IP Routing Enabled and Forwarding IP is set to 208.138.170.209

• • RIP enabled and to 208.198.243.0

  • RIP incoming: both versions

  • RIP outgoing: RIP v1

• 208.198.243.0 is routed to pfSense

• NAT for 208.198.243.0 to DMZ and DMZ2



spoggle

a description of the pfSense hardware would be useful as would an idea of how the 3550 is configured. (Your image, btw, is HUGE, I can't view much more than a few characters of it at a time)

I think you should be able to replace the switch with the pfSense box and get rid of the internal RIP (is that from your ISP?).

chpalmer

Your image, btw, is HUGE

No Lie!  :o


heper

you probably have a static wan  address that has 2 blocks routed to it ?
why have 2 routers at all?

you could just add both the /29 & the /24 on the same device ….. why add the complexity of forwarding one block to a secondary router ?

esi.curban

@chpalmer, thank you for resizing that for me, I did not realize the image was that large!

@heper, from what my ISP told me, they provide access through the /29 and sold us a /24 block, all traffic goes through /29 and the Cisco switch that my predecessor put in was to forward all traffic from the /29 to the /24.  So my true gateway would be 208.138.170.209, and the /24 has all my web and email services on that network.

@spoggle the pfsense hardware is the equivalent to Netgate's XG-1541 1U with an additional 4 port gig nic. 1 nic is WAN for /24 network, and the other nics are subnetted for the various networks I have.  DMZ & DMZ2 have a 1:1 NAT to the /24 addresses.

johnpoz

So your /24 is routed through the 29.. To which IP in the 29 or you have to provide routing protocol to them to tell them what IP to hit in the /29 to get to the /24?

esi.curban

@johnpoz with the current setup that was put in place,

My Cisco Switch has IP routing turned on and 208.138.170.209 (/29) is the default route forwarding IP and its destination is the /24 through RIP

heper

so basically you could just setup pfsense with wan 208.138.170.209 (/29) & just put the /24 as VIPs  (with NAT) or use the /24 on 1 or more interfaces (without NAT)

johnpoz

Yeah really not seeing the point of the 2 routers here.

esi.curban

@everyone

I would like to thank you all for your advice and it was great advice.

I was able to achieve my goal and remove the Cisco switch. @heper's suggestion, I put the /29 network as the WAN address and since I already had the /24 as VIPs, everything worked like a charm.  Thank you for guiding me!  Tomorrow morning, I am heading to my satellite office and putting in another pfsense box with a ipsec site to site vpn. I can now have uniformity between my 2 offices (already got that working in my test lab!  :) ).

Thank you all for your help!