Routing / firewalling two class c's

  • Tried searching but not even sure what to search on…

    In previous setups I've had a small subnet, like a /30, that is assigned to the outside interface.  Traffic for that and any other networks are sent on that port.  I can then setup OPT interfaces with those subnets and everything works great.  In this case I only have two class c's.  Here's how they are setup:

    network 1:

    network 2:

    Both come in on a single cable but have dual gateways like that.  Meaning I could plug that into a hub, connect servers to it, give it the .1 gateway and it will work.  Obviously I don't want to put everything on the internet without a firewall.  I want the NAT'd external ip to and all other ips have to go through pfsense.  I can have them dump the dual network like this and instead have them route traffic from both subnets to (and then I'm assuming pfsense will advertise that it handles the whole network so the gateway will know where to route it, unfortunately never learned about BGP routing and such).  Here's the ideal setup:

    outside - directly connected to cable going to isp's switch

    opt1 - connects to our "external" switch
    gw: blank (so it should forward to above)

    opt2 - connects to our "external switch
    gw: blank (so that also forwards to

    inside has inside settings

    i'd then have the ISP forward both subnets to network.  Both outside and opt1 having the same subnet mask seems like it would clash.  Or would pfsense know if it sees something like coming in on outside and it knows that server exists on opt1 to accept the traffic and pass it along?

  • Anyone have advice yet?  Here's the current setup:


    bridge with WAN


    Other ip's in network don't work reliably.  If I restart the firewall I can ping  As soon as I restart the server it breaks again although I don't see any traffic being blocked on firewall.  Which leads me to believe something gets messed up in the firewall's routing tables or something and it gets reset when I restart the firewall.  the network works fine.

    It has to be a common configuration where you have a large block of IPs and you want the first ip to be the firewall and the rest to be filtered through the firewall.  The only sollution I can think of now is to have ISP give me another /30 ip so I have a different external ip from the two class c's but there has to be a way to get it to work.

Log in to reply