Routed Public IP Block



  • Hi All,

    I can see from a bit of research that a lot of people deal with public IP blocks using either bridged mode, by using virtual IP's, or using NAT.

    I'm looking at virtualising a Cisco ASA where we're running in a routed mode. My upstream provides me with a /29 from their own allocation, and then routes my /24 of PI to that. On my ASA I have a WAN interface with the ip from the /29, and then a LAN interface with the /24 on it. Firewall rules then control what goes from where to where. The default route on the ASA is back out to the /29 gateway.

    Within my virtualised setup I then intend to map the WAN network interface through into the pfSense and the DMZ back out into a vSwitch. I'll have a separate LAN for local traffic between machines.

    So how do I go about setting this up? I've used bridge mode in the past with ADSL providers where they presented a public IP from the block on the modem/router's ethernet ports, and I've then bridged that through to the DMZ on the pfSense, would I just configure things in a similar way here - /29 IP on the WAN and /24 IP on the DMZ?

    Thanks in advance!


  • Netgate

    On my ASA I have a WAN interface with the ip from the /29, and then a LAN interface with the /24 on it. Firewall rules then control what goes from where to where.

    Do exactly the same thing. On the ASA you would simply not enable NAT. On pfSense you would want to disable NAT for that network by going into Firewall > NAT, Outbound, enabling Hybrid mode, and creating a NO NAT rule using your routed /24 as the source network.

    Then you just pass the desired traffic on WAN to the inside /24 addresses.

    The people doing bridging, etc, are generally people trying to get interface addresses (like those in your /29) onto hosts "behind" pfSense. All unnecessary with a properly routed subnet.



  • Fantastic, thanks!