PfSense for my colo? Please help!



  • Hi guys,

    Right now I am running my colo network (a full /24 assigned from WAN, with static IP route to neighbor router) without any firewall and I am looking into pfsense.

    The idea is to put pfsense on my network, connected directly from the ISP and transparently allow connections (without need to add custom rules for every single application). What is the easiest way to achieve this?

    I have SWITCH created VLAN's assigned to fixed ports and thats how I can control IP resources not being stolen. I don't know if I can run all these vlans with OSPF… please enlighten me.



  • Search the forum / docs and read about VIPs, Proxy ARP, 1:1 NAT and Aliases.  Between these, you should be all set.  Virtual IPs allow you to run multiple public IPs through one pfSense box via Proxy ARP.  You can set up 1:1 NAT to create direct pass-through of traffic (like your current setup) and if you use Aliases, everything will be easier to administer.  Good luck.



  • @mhab12:

    Search the forum / docs and read about VIPs, Proxy ARP, 1:1 NAT and Aliases.  Between these, you should be all set.  Virtual IPs allow you to run multiple public IPs through one pfSense box via Proxy ARP.  You can set up 1:1 NAT to create direct pass-through of traffic (like your current setup) and if you use Aliases, everything will be easier to administer.  Good luck.

    Thanks… just to clarify VIPs = Virtual IPs?

    Just a few questions:

    On the switch, do I create separate VLANs on each port for each segmentation of my public addresses (I usually give servers /29) and then configure a STATIC route on my switch for 0.0.0.0 > 192.168.1.1 (pfSensebox)



  • Yes, VIP = Virtual IP

    You should not need VLANS.

    There are two ways to go about what I think you are trying to do:
    1.  Create a LAN and use VIP/Proxy ARP to assign public IPs to LAN hosts/server through 1:1 Nat.
    2.  Use a bridged interface (transparent firewall) such as the one explained here in the old M0n0 documentation.
    http://doc.m0n0.ch/handbook/examples-filtered-bridge.html



  • IMO a filtering bridge is the easiest way to put your current colo behind a firewall. There's no need to change anything on the machines that way and the fallback scenario (in case things don't work out well the first time) is as easy as removing the transparent bridging firewall from the network and plugging your uplink back into the switch. No VLAN setup is required, unless you have multiple uplinks and /or not enough ethernet ports on your firewall. This is exactly the way I've done it in a similar setup (with VLANs however). There are a few things worth mentioning though:

    • It may require a bit more CPU power than a traditional firewall

    • It's probably wise to preconfigure the firewall outside the colo network and test it / familiarize yourself with it in an isolated network setup

    Regarding the filter rule setup: best rule of thumb is to only allow things you really would like to get in to / go out from the network. At the very least I would only allow selective ports on the WAN interface and just allow everything out from the LAN interface.

    Good luck.



  • This is, admittedly, an easier approach but its not without its downsides.  Bridge filtering isn't supported by CARP so if you need to do a CARP firewall cluster because you have an HA requirement for your network, then bridging isn't going to work.  Its really about your needs, pick the solution that fits yours best.


Log in to reply