New pfSense Installation Questions



  • I am in the process of planning a new firewall infastructure using pfSense (we are currently use an AirLok appliance) and have a few questions regarding my setup.  Attached is an image of the proposed network diagram.  I am currently running RC2 on both pfSense boxes.

    • Dumb Switch 1 - will be feeding the WAN connections of the master and slave pfsense servers.
      For my DMZ, I will be using a VLAN off of the this switch.  The servers within my "DMZ" will have fully routable external IPS provided by the 2800.

    • The pfSense boxes have 3 interfaces - 1 WAN (12.169.255.x/24), 1 LAN (172.20.1.1/8), 1 OPT (SYNC/172.20.2.1/24).

    • The pfSense LAN interfaces are connected to the 2nd dumb switch.  From here, our backhauls will be connected to this switch (we are a WISP).  Each backhaul contains up to 100 clients.

    • The pfSense boxes will be handing out internal IPS (DHCPD on the LAN interface) currently in the range of 172.20.15.2 to 172.20.16.200.

    • In my advanced outbound routing, I have broken the 172.20.15.2 and 16.2 subnets down into /26's so every 61 addresses will be NAT'd behind a separate external IP.  This currently works great.  I have also assigned each external IP a virtual IP (CARP) (12.169.255.x/24).  If possible, I would like for each of these /26's not to be able to communicate with each other (for security), which currently is not working.

    • The pfsense boxes will not be doing any traffic shaping.  Traffic shaping will be provided by a NetEq appliance that will sit in between the 2800 and the first switch.

    • Every client on the LAN side must be able to access the Internet via the WAN interface.

    My questions are:

    1.  Is my basic network setup correct?  Am I doing this the most efficient way?
    2.  Is there a better way to setup a DMZ?
    3.  How can I provide my clients (which are connected thru a backhaul to the second switch on the 172.20.15.0/24 subnet) a REAL (not 1:1) public IP provided by the Cisco 2800?  Can I simply route a real IP thru the pfSense cluster?  The 2800 currently routes 12.169.255.0/24. 
    4.  It seems that when I add a static DHCP mapping (to 172.20.14.0/24), the client can not access anything.  Do I need to create a firewall rule/virtual IP for the IP that the client is mapped to?

    I really appreciate any input that you might be able to give.  Thanks!


Locked