Tunneled public IP space on pfsense -- I *think* this is the right idea?



  • But then again, I think a lot of things -- and others think I need medication....

    I have an OLD Internic assigned publci IP block. For our purposes, assume it's 191.192.193.0/24. I finally found an ISP willing to route it through a GRE or GIF tunnel to my pfsense box. I will also route a new V6 block through a similar tunnel.

    Does this seem right? It's been so long since I had public space, I don't remember the details...

    • We will assume the ISP has a public V4 address of 11.12.13.1 and my local ISP has a V4 assigned to me of 12.13.14.1.

    • Obviously, I can set up a GRE tunnel between us 11.12.13.1 <-> 12.13.14.1 IPV4

    • The gateway from the point of view of pfSense is 11.12.13.1 over which I sent packets in the 191.192.193.0/24 routed space.

    • On the pfSense box, my LAN segment can now be assigned addresses out of 191.192.193.0/24

    • I have a firewall rule that says "If the source is 192.193.194.0/24, route out the tunnel to 11.12.13.1 otherwise fall through and use the default route.

    • Inbound it's no big deal because things "fall out of the tunnel" and standard routing sends them to the LAN.

    • And of course, I have to write firewall rules that filter traffic between the tunnel and the LAN since the WAN interface rules won't help here.

    • For V6, the rules are similar save for the fact that I have a V6 tunnel endpoint and, there's no need for source routing rules since V6 and V4 have different routing tables.

    Is this right? Or is time for the meds again?


  • Rebel Alliance Developer Netgate

    That's right, though you do have to watch that the rules on your tunnel interface have reply-to in the ruleset. For GIF/GRE, they should have it by default, but double check that to be certain. You need that because otherwise the reply packets would take your default route outbound no matter what you have set on the rules.

    Also make sure you don't have any outbound NAT active on the tunnel interface.

    One last note, I strongly suggest you put devices using those public addresses on their own segment like a DMZ interface. It's a bad practice to mix public and private subnet traffic on an interface for a variety of reasons. So unless LAN is dedicated to using only the public addresses, you should make another interface.


Log in to reply