Class C network must be tunneled to the gateway, best solution?



  • I have two LANs locally: a private one, and a guest LAN.
    My ISP provides me with a single, DHCP based IP address that keeps changing.
    All traffic to and from the guest LAN is supposed to use NAT and go directly to the internet over the ISP's net.

    All machines on the private LAN however have publicly routed IP addresses out of a directly assigned class C network (24 bit netmask).
    The gateway to that network, because the ISP refuses to do the routing, is at a colocation service, and currently all traffic from the private LAN is encapsulated into a VPN and goes to the colocation service, where it's unpacked and put on the public internet.

    This all works, albeit not as fast and not as reliable as I'd like, and of course the ZyWalls used for the purpose have certain limitations, hence I look at pfSense.

    Besides certain modules like FreeSwitch, the main thing I'm trying to get out of migrating (hopefully soon) to pfSense is more reliability and more speed, particularly for things like downloads.

    For that I'd like to do two things:
    a) consider GRE instead of a VPN to link my private LAN with the gateway at the collocation service, but I wonder if that's possible, because of course the GRE link, from the POV of the private LAN, should become the default route, but it's not clear how to set this up, given that it says the GRE routing entry must be more specific than the gateway route it uses. The other thing I wonder if regular ISPs likely will let GRE pass, or if that's something that's commonly filtered out.
    b) preferrably, I'd like to have certain types of outgoing traffic use NAT and go directly to the ISP. There is e.g. no need to browse random web sites with our class-C IP addresses and do the detour to the collocation service, something that's mostly relevant for incoming traffic and services, such as  http, smtp, imap, pop, dns, etc. not for end user web access and downloads.

    Is what I imagine here a realistically achievable goal using pfSense?  Comments, feedback welcome!


Log in to reply