Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New pfSense Installation Questions

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    1 Posts 1 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bairdmj
      last edited by

      I am in the process of planning a new firewall infastructure using pfSense (we are currently use an AirLok appliance) and have a few questions regarding my setup.  Attached is an image of the proposed network diagram.  I am currently running RC2 on both pfSense boxes.

      • Dumb Switch 1 - will be feeding the WAN connections of the master and slave pfsense servers.
        For my DMZ, I will be using a VLAN off of the this switch.  The servers within my "DMZ" will have fully routable external IPS provided by the 2800.

      • The pfSense boxes have 3 interfaces - 1 WAN (12.169.255.x/24), 1 LAN (172.20.1.1/8), 1 OPT (SYNC/172.20.2.1/24).

      • The pfSense LAN interfaces are connected to the 2nd dumb switch.  From here, our backhauls will be connected to this switch (we are a WISP).  Each backhaul contains up to 100 clients.

      • The pfSense boxes will be handing out internal IPS (DHCPD on the LAN interface) currently in the range of 172.20.15.2 to 172.20.16.200.

      • In my advanced outbound routing, I have broken the 172.20.15.2 and 16.2 subnets down into /26's so every 61 addresses will be NAT'd behind a separate external IP.  This currently works great.  I have also assigned each external IP a virtual IP (CARP) (12.169.255.x/24).  If possible, I would like for each of these /26's not to be able to communicate with each other (for security), which currently is not working.

      • The pfsense boxes will not be doing any traffic shaping.  Traffic shaping will be provided by a NetEq appliance that will sit in between the 2800 and the first switch.

      • Every client on the LAN side must be able to access the Internet via the WAN interface.

      My questions are:

      1.  Is my basic network setup correct?  Am I doing this the most efficient way?
      2.  Is there a better way to setup a DMZ?
      3.  How can I provide my clients (which are connected thru a backhaul to the second switch on the 172.20.15.0/24 subnet) a REAL (not 1:1) public IP provided by the Cisco 2800?  Can I simply route a real IP thru the pfSense cluster?  The 2800 currently routes 12.169.255.0/24. 
      4.  It seems that when I add a static DHCP mapping (to 172.20.14.0/24), the client can not access anything.  Do I need to create a firewall rule/virtual IP for the IP that the client is mapped to?

      I really appreciate any input that you might be able to give.  Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.