4. New pfSense Installation Questions

New pfSense Installation Questions

  • B

    I am in the process of planning a new firewall infastructure using pfSense (we are currently use an AirLok appliance) and have a few questions regarding my setup.  Attached is an image of the proposed network diagram.  I am currently running RC2 on both pfSense boxes.

    • Dumb Switch 1 - will be feeding the WAN connections of the master and slave pfsense servers.
      For my DMZ, I will be using a VLAN off of the this switch.  The servers within my "DMZ" will have fully routable external IPS provided by the 2800.

    • The pfSense boxes have 3 interfaces - 1 WAN (12.169.255.x/24), 1 LAN (172.20.1.1/8), 1 OPT (SYNC/172.20.2.1/24).

    • The pfSense LAN interfaces are connected to the 2nd dumb switch.  From here, our backhauls will be connected to this switch (we are a WISP).  Each backhaul contains up to 100 clients.

    • The pfSense boxes will be handing out internal IPS (DHCPD on the LAN interface) currently in the range of 172.20.15.2 to 172.20.16.200.

    • In my advanced outbound routing, I have broken the 172.20.15.2 and 16.2 subnets down into /26's so every 61 addresses will be NAT'd behind a separate external IP.  This currently works great.  I have also assigned each external IP a virtual IP (CARP) (12.169.255.x/24).  If possible, I would like for each of these /26's not to be able to communicate with each other (for security), which currently is not working.

    • The pfsense boxes will not be doing any traffic shaping.  Traffic shaping will be provided by a NetEq appliance that will sit in between the 2800 and the first switch.

    • Every client on the LAN side must be able to access the Internet via the WAN interface.

    My questions are:

    1.  Is my basic network setup correct?  Am I doing this the most efficient way?
    2.  Is there a better way to setup a DMZ?
    3.  How can I provide my clients (which are connected thru a backhaul to the second switch on the 172.20.15.0/24 subnet) a REAL (not 1:1) public IP provided by the Cisco 2800?  Can I simply route a real IP thru the pfSense cluster?  The 2800 currently routes 12.169.255.0/24. 
    4.  It seems that when I add a static DHCP mapping (to 172.20.14.0/24), the client can not access anything.  Do I need to create a firewall rule/virtual IP for the IP that the client is mapped to?

    I really appreciate any input that you might be able to give.  Thanks!

    0
Locked
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy