Single IP WAN with 2 public IP subnets
I'm just looking for some advice. We are replacing an old SonicWALL 2040 with the latest pfSense and trying to determine the best route to go with the interfaces and firewall setup. There are 4 interfaces in the server: em0, em1, em2, and em3. Oddly enough em2 and em3 are the integrated dual NICs while em0 and em1 are the PCI-e dual nic expansion card.
In the current SonicWALL setup, we have an assigned /29 for the router itself, let's call it 22.214.171.124/29 with two other subnets on LAN ports of 126.96.36.199/26 and 188.8.131.52/27. We set up the SonicWALL many moons ago and with the help of SonicWALL support. It uses NAT with two custom NAT policies for each of the latter two subnets and WAN->LAN rules setup for allowing traffic to all the hosts. All hosts on the two LAN interfaces use static IP address that are translated as themselves outgoing.
Reading the pfSense docs and given our ISP setup, I plan to follow the "Small WAN IP Subnet with Larger LAN IP Subnet" section with "Routing Public IP Addresses" under mostly WAN rules to allow traffice to the many static IP addresses on the two LAN subnets assinged to OPT1 and OPT2 interfaces. We do not use any DHCP. Does this sound like the correct set up to follow for our situation?
This post is deleted!
The subnets you have given there are all public. I assume those are examples only but are they actually public subnets?
You are following the guide for routing public IPs which implies they are public but youj also mention the Sonicwall is NATing to/from those subnets which implies they are private.
I think we need more details of how you access the internal hosts, by public IP directly or via port forwards?
Yes, they are all public and yes, that was the difficult thing about the SonicWALL. When I set that up many years ago, it required their support because of the special NATting needed for my two public subnets. I had to use their wizard when setting up any new host access. We are a hosting provider with all the subnets provided by the data center.
I have to say, what a breeze and pleasure it was to replace that SonicWALL with pfSense, should have done long ago. I put in place this past weekend and with a few minor tweaks, worked great. I just simply had to set no NAT for Outbound and make my few rules. Now I can granularly control the subnets with ease, set up IDS, more, more....thanks!
Ah, glad to hear it.