Leased Line - Wires Only - Routing



  • Hi All :)

    I have a site where they have ordered a "Wires Only" leased line, meaning the ISP does not supply a managed router.

    I am thinking of using a pfSense Router as the router.

    They have advised the following:

    WAN Connection Details
    WAN IP Address : 85.x.x.209
    Gateway : 85.x.x.208
    VLAN 4094

    LAN IP Details
    Network Address : 106.x.x.16
    Broadcast Address : 106.x.x.31
    Subnet Mask : 255.255.255.240
    Router IP Address (Default Gateway) : 106.x.x.17
    Available IP Range : 106.x.x.18 to 106.x.x.30

    How would I configure this on a dedicated pfSense Box, so I could then connect the devices to the LAN of the pfSense, programmed with Static IPs within the "Available IP Range" with no Firewall rules.

    Sure this is simple, can anyone point me in the right direction here ?

    Thanks ☺


  • Rebel Alliance Moderator

    so I could then connect the devices to the LAN of the pfSense, programmed with Static IPs within the "Available IP Range" with no Firewall rules.

    So just to check: you want to plug the LAN port into a switch, connect other HW boxes to it with e.g. 106.x.x.23 configured and it should just work? Without any firewalling, just simple pass through of all packages from WAN<->LAN?



  • @JeGr Yes - exactly this :)


  • Rebel Alliance Moderator

    Easy.

    • Setup VLAN 4094 on the interface, you'll plug in WAN.
    • Switch/configure WAN to <physical interface>:4094
    • configure static IP as per your connection details
    • set up LAN as per your LAN details with pfSense getting .17
    • enter NAT settings, go to Tab outbound
    • switch to manual mode
    • remove all NAT entries besides the 127.0.0.x ones so you have NO NAT rules besides the localhost ones.
    • enter Firewall rules
    • create a WAN rule "block from any to firewall address port any" rule so no access to your firewall from the outside internet is possible
    • create a WAN "pass any to LAN net" rule to allow anything else
    • check LAN that "pass any to any" (default) is still there.
    • if you want to manage pfSense via a special third interface you should use that as "lan" and setup the third interface as "DMZ" or "SRV" and create a block firewall address and pass anything else rule there.

    -> Now you have no NATting from LAN to WAN and pass traffic from WAN->LAN and LAN->WAN without blocking anything. So you're routing only. I'd advise to go the extra mile and add a third interface and use a dedicated interface to manage your pfSense so to not allow traffic to the webUI from WAN or you "server network".


Log in to reply