PfSense to replace Cisco Router / Firewall

  • I know this has been posted before in the forum, but I couldn't really find any clear answers.  I am looking to replace a Cisco Router / Firewall with one pfSense box.

    Currently, the uplink side of my Cisco router to the ISP is a /30.  One end of the /30 is my router and the other end is my ISP.  My default route is to their /30.

    They have also given me a /29 which is routed to my end of the /30.

    In addition to this, I also need to have an interface providing DHCP'd private IP's to various workstations.  They should be NAT'd through one of my IP's in the public /29.

    I'm confused as to how to configure this in pfSense.  I realize that I will need to use Advanced Outbound NAT to configure the NAT for my LAN clients.  I was thinking something like.

    NIC 1
    VLAN 10 - (uplink from ISP)

    NIC 2
    VLAN 11 - (my public /29 which is routed to
    VLAN 12-

    Would I need to create a bridge between VLAN10 and VLAN11 to make this work?  If so, will I have this issue:

    I would really like to avoid the use of a bridge if possible, but I'm not sure it is.  If I do use a bridge, would the gateway of devices on VLAN 11 be (WAN/VLAN 10 IP)?

    I will have one single switch connected to NIC2 that will be a trunk carrying both VLAN 11 and VLAN 12 which should give the switch access to both the public and the private

    Any input is greatly appreciated.


  • I'm going to make the assumtion that the interface type for the /30 WAN subnet is ethernet, so you probably have some other router/modem/device/CPE that will actually provide the transport for your WAN.  If there is, it is probably working as a bridge on it's own if the current CISCO uses an ethernet WAN interface. You may be better served if you can adjust the modem or existing transport bridge to do L3 funtion, terminate the /30 and route to the /29 which will now be the WAN on your firewall.

    You could simply set up your NAT normally you won't need bridging, unless you wanted to use an OPTx interface for a DMZ (just bridge it with WAN).

    If you can't put the /29 on your PFsense WAN interface, you'll put it on your OPTx interface and then create a virtual IP (I haven't tested my setup yet, but the "other" type looked promising) put in one of your IPs from the /29 and then use that in your manual advanced outbount NAT rule.  Apply the rule to your WAN interface, use the LAN /24 as source, and "any" for destination, and you should be off an running.

    "should" be anyway, like I said, my setup hasn't been tested yet, but it is a setup I'm interested in, I'll probably need to use it myself.  Let me know if it works for you.


  • Just remove all the access lists from The Cisco, put one of the public LAN side addresses on the pfSense box and be done with it. If the /30 is a serial connection you don't have a choice. Simple is better.

  • Yup,  I had that thought too Dotdash, but when I attack this similar problem in my setup, I'm going to try my darndest to get rid of any box I can.

    BairdMJ, pick your approach and choose your poison.  Degree of difficulty is up to you.  Me?  The harder stuff always plagues me for a second attempt after I wimp out the first time.


Log in to reply