Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    New pfSense Installation Questions

    Installation and Upgrades
    1
    1
    2754
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bairdmj last edited by

      I am in the process of planning a new firewall infastructure using pfSense (we are currently use an AirLok appliance) and have a few questions regarding my setup.  Attached is an image of the proposed network diagram.  I am currently running RC2 on both pfSense boxes.

      • Dumb Switch 1 - will be feeding the WAN connections of the master and slave pfsense servers.
        For my DMZ, I will be using a VLAN off of the this switch.  The servers within my "DMZ" will have fully routable external IPS provided by the 2800.

      • The pfSense boxes have 3 interfaces - 1 WAN (12.169.255.x/24), 1 LAN (172.20.1.1/8), 1 OPT (SYNC/172.20.2.1/24).

      • The pfSense LAN interfaces are connected to the 2nd dumb switch.  From here, our backhauls will be connected to this switch (we are a WISP).  Each backhaul contains up to 100 clients.

      • The pfSense boxes will be handing out internal IPS (DHCPD on the LAN interface) currently in the range of 172.20.15.2 to 172.20.16.200.

      • In my advanced outbound routing, I have broken the 172.20.15.2 and 16.2 subnets down into /26's so every 61 addresses will be NAT'd behind a separate external IP.  This currently works great.  I have also assigned each external IP a virtual IP (CARP) (12.169.255.x/24).  If possible, I would like for each of these /26's not to be able to communicate with each other (for security), which currently is not working.

      • The pfsense boxes will not be doing any traffic shaping.  Traffic shaping will be provided by a NetEq appliance that will sit in between the 2800 and the first switch.

      • Every client on the LAN side must be able to access the Internet via the WAN interface.

      My questions are:

      1.  Is my basic network setup correct?  Am I doing this the most efficient way?
      2.  Is there a better way to setup a DMZ?
      3.  How can I provide my clients (which are connected thru a backhaul to the second switch on the 172.20.15.0/24 subnet) a REAL (not 1:1) public IP provided by the Cisco 2800?  Can I simply route a real IP thru the pfSense cluster?  The 2800 currently routes 12.169.255.0/24. 
      4.  It seems that when I add a static DHCP mapping (to 172.20.14.0/24), the client can not access anything.  Do I need to create a firewall rule/virtual IP for the IP that the client is mapped to?

      I really appreciate any input that you might be able to give.  Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy