How to use a second external ip block



  • We previously had a /28 network that we filled up kinda quick.  got a second /24 network and I'm trying to get it to work through firewall.

    for demonstration, the two network are 1.1.1.0/28 and 2.2.2.0/24

    Here is our current setup. Two T1's are multiplexed into a cisco 26xx (exact number is not important).  The cisco has ips 1.1.1.1 and 2.2.2.1 (first usable ip in each block).  a crossover cable goes from the cisco straight into first port on firewall (bge0 - WAN).  It's assigned a static ip 1.1.1.2/28.  LAN (fxp0) interface has a static ip 10.0.0.1/24. A third interface (OPT1 - fxp1) is setup to bridge WAN. It is plugged into a switch.  I then plug in DMZ'd server into that switch, give them external ip's in the 1.1.1.0/28 block with the gateway set to 1.1.1.2 (the ip of the firewall).  This allows me to still filter traffic going to the servers and has worked well.

    First thing I tried was creating a fourth interface and giving it a static ip of 2.2.2.2.  I tried both without (the "proper" way) and with a gateway of either 2.2.2.1 or 1.1.1.1 or even 1.1.1.2.  None seemed to work, assuming because it was trying to contact the gateway on that fourth interface when the gateway is actually on the first interface.  Durring this setup a machine plugged into the switch this fourth interface was on couldn't ping anything, not even 2.2.2.2.

    Second thing I tried was the walkthrough at http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf but I think because that's meant for LAN so even though I adjusted things to point to the WAN interface it still didn't work.

    We still have a cisco pix at a remote location with 5 completely different subnets and it works just fine.  I studied that config to see if I could translate that to pfsense and didn't have any luck.



  • This would be easier if you just used the IPs from the second block as Virtual IPs. Is there a compelling reason you need public IPs on the DMZ machines?



  • @dotdash:

    This would be easier if you just used the IPs from the second block as Virtual IPs. Is there a compelling reason you need public IPs on the DMZ machines?

    (apologies on late reply)

    Some of the servers gets confused with virtual ips.  TrixBOX (asterisk pbx software) can have problems because of how sip works.  Also just to mainly make things "simpler" in that I ssh to the same ip that's the public ip and works without having to remember two ips or set up custom dns aliases and stuff. I was able to just create a second dmz interface and got it to work that way.


Locked