Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tunneled public IP space on pfsense -- I *think* this is the right idea?

    Scheduled Pinned Locked Moved
    General pfSense Questions
    public ip tunnels
    2
    2
    269
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jantypas
      last edited by

      But then again, I think a lot of things -- and others think I need medication....

      I have an OLD Internic assigned publci IP block. For our purposes, assume it's 191.192.193.0/24. I finally found an ISP willing to route it through a GRE or GIF tunnel to my pfsense box. I will also route a new V6 block through a similar tunnel.

      Does this seem right? It's been so long since I had public space, I don't remember the details...

      • We will assume the ISP has a public V4 address of 11.12.13.1 and my local ISP has a V4 assigned to me of 12.13.14.1.

      • Obviously, I can set up a GRE tunnel between us 11.12.13.1 <-> 12.13.14.1 IPV4

      • The gateway from the point of view of pfSense is 11.12.13.1 over which I sent packets in the 191.192.193.0/24 routed space.

      • On the pfSense box, my LAN segment can now be assigned addresses out of 191.192.193.0/24

      • I have a firewall rule that says "If the source is 192.193.194.0/24, route out the tunnel to 11.12.13.1 otherwise fall through and use the default route.

      • Inbound it's no big deal because things "fall out of the tunnel" and standard routing sends them to the LAN.

      • And of course, I have to write firewall rules that filter traffic between the tunnel and the LAN since the WAN interface rules won't help here.

      • For V6, the rules are similar save for the fact that I have a V6 tunnel endpoint and, there's no need for source routing rules since V6 and V4 have different routing tables.

      Is this right? Or is time for the meds again?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That's right, though you do have to watch that the rules on your tunnel interface have reply-to in the ruleset. For GIF/GRE, they should have it by default, but double check that to be certain. You need that because otherwise the reply packets would take your default route outbound no matter what you have set on the rules.

        Also make sure you don't have any outbound NAT active on the tunnel interface.

        One last note, I strongly suggest you put devices using those public addresses on their own segment like a DMZ interface. It's a bad practice to mix public and private subnet traffic on an interface for a variety of reasons. So unless LAN is dedicated to using only the public addresses, you should make another interface.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post