Multiple Public Subnets Routed



  • Hi All,

    I'm trying to figure some things out and the book doesn't spell this one out clear enough for me since I'm new to routing.

    Our colocation ISP currently handles the routing for us and we just have a switch in the cabinet.  We have two separate subnets coming to us down a single CAT5 cable.  We are going to change that and use pfSense in the cabinet.  The ISP says that they will route the subnets to use and will use a /29 network to do that.  That makes sense to me.  I'm just trying to figure out how to set up pfSense in the most efficient way.

    Because of our current setup, each machine has it's own public IP address.  We can change those to a private address on the LAN, but the change over of all our machines would lead to a lot of downtime.  But I don't know if there's an option.  So here are my questions.

    1.  To "receive" the routed subnets, do I use "Other" VIPs on the WAN for every public IP on both subnets?
    2.  Is there a way to set pfSense so that my machines will still be behind the pfSense, allowing firewalling and traffic shaping, and still retain their public IP address?
    3.  Will traffic between subnet A and subnet B be handled within pfSense?  In other words, I don't want that traffic heading to my ISP and back.
    4.  What else am I missing?  :)

    Thanks for any help!


  • Rebel Alliance Developer Netgate

    You can keep it fully routed if you want, just disable NAT. (Firewall > NAT, outbound tab, switch to manual and delete the rules) and assign an IP from your subnet on the LAN with the proper subnet mask. You do not need VIPs if you are routing the IPs, that is only for use with NAT entries (port forwards, 1:1, outbound NAT, etc)

    If you have your two subnets on two different internal networks (LAN, OPT1) the routing will be handled by pfSense and shouldn't leave the router, as long as pfSense has an IP address in both subnets, and is the gateway for machines in those subnets.



  • Thanks for the reply!  That's very helpful.

    Can addresses on the two subnets exist on a single LAN interface?  Most of our machines are virtual I'd like to just connect each host via a single interface.  Also, can I do a mix of routed and NAT?  Or should it be all one or the other?

    To give a full picture, I'd like to have a total of 3 interfaces in a redundant failover install.  On each pfSense, there would be a WAN connected to the ISP, LAN connected to a switch/servers, and OPT1 for pfsync.

    Thanks again!


  • Rebel Alliance Developer Netgate

    They cannot exist on a single LAN interface without some unsupported hacking of the config to setup an IP alias. An IP alias is really not the right way to go about it anyhow, keeping separate subnets in separate interfaces is really the better way to go.



  • Thanks!  That's very helpful.  I think that will push us to using NAT which is what we planned from the beginning.

    So one last question.  To "receive" the routed subnets, I would just use "Other" VIPs from both subnets on the WAN interface, right?

    Thanks again for your help!  I really appreciate it!


  • Rebel Alliance Developer Netgate

    If the additional subnets are routed directly to the WAN IP of your firewall, then yes, 'other' type VIPs should work fine.



  • Thanks!  You have been a great help!


Log in to reply