Routing VIPs?

  • I've tried to figure this out in the book, but I'm still not sure, so thought I'd ask here.

    In a colocation environment, I am connected with a single line to my ISP.  That line goes to a switch connected to all my machines.  I've been running individual firewalls on all machines, but want to put everything behind pfSense so that I can have a better handle on security and also implement some QOS.

    I have two different subnets coming in from my ISP.  Right now, each machine is configured on one of the two subnets with the appropriate gateways, etc…  So any traffic from one subnet to the other, I assume, is going out to my ISP's router and then back to me.

    I'm pretty sure with pfSense, I can keep everything "local".  pfSense will have a WAN address on Subnet "A". Do I need to set up static routes inside pfSense that tell it about Subnet "B"?  Or if I simply assign the IP addresses on Subnet "B" as VIPs on the WAN interface, does that take care of it?

    I'm going to talk to my ISP about my changes, but want to make sure I can get pfSense set up right.  I'm open to any and all suggestions.

  • Hi
    Yes if you add a virtual IP to the WAN IF it should take care of the routing.
    How do you plan to set up the subnet(s) behind the pfSense? Use Private IPs & Port Forwarding, 1:1 Nat or Bridging?

  • Thanks for the reply! 
    I was planning to use 1:1 NAT on some machines and Port Forwarding on others with everything located in a Private network on the LAN if.

    I wrote my ISP and got a response yesterday that will probably change things.  They would like to use an intermediary /30 network to send our subnets to us.  I'm going to ask if they'll use a /29 so that we can add a second Failover pfSense box after we get everything working right on the first one.

    I'm trying to figure out how to set things up to "receive" the subnets.  For explanation, I'll refer to the /30 or /29 network as subnet A, and our two existing subnets as B and C.  From what I understand, I'll use an IP address from subnet A on my WAN if.  I still want to have a private network on my LAN and using 1:1 NAT or Port forwarding from the Public IPs of subnets B and C for that.

    I'm trying to figure out how I configure pfSense to use the Public IPs from Subnets B and C.  Is it as simple as creating Proxy ARP VIPs?

    Thanks again for helping me through Routing 101.  :)

Log in to reply