Routed & NAT Subnet on LAN Interface

maeltor

Forgive me if this has already been asked.

My network topology is this:

ATM Cloud & Internet –> 2Wire DSL Modem set in Transparent Bridging --> PFSense Router & Firewall --> Internal Network.

The DSL Modem does transparent bridging and I have a /32 (which is on my ISP's /24) and a routed /29.

I can't figure out how to put both the routed /29 and my internal NAT (for workstations) on the same interface.  I technically could put a router in front of the PF sense machine and do my split routing that way, but then i lose the ability to firewall off my public ip space which is kind of the point of having this firewall.

hoba

2 Options:

Add an additional Interface to your pfSense with the public subnet and assign public IPs from this subnet to your hosts. In such scenarios the provider usually just routes the traffic for the additional IPs to you usualy. You then only need some firewallrules for the desired alowed traffic.

or

Add Virtual IPs type "other" to your WAN Interface and add portforwards and firewallrules for them. If other doesn't work use type "proxyArp" but I guess "other" should work for this.

maeltor

Thanks for the quick response!

How do I ADD an interface?  I can't see it in the gui, is it done from the console?

Would i have to add a static default route?
Can I plug the optional interface into the same LAN switch i have behind the firewall, and do i have to suppress arp anywhere?

hoba

I meant adding a physical NIC and then assigning it at interfaces>assign. This is more like having a DMZ attempt.

maeltor

Ok, so i'm thinking I did this completely wrong somewhere along the line.

I have 3 interfaces, the names are dc0 (LAN), dc1 (OPT1), and dc4 (WAN).

The LAN interface is 10.0.0.0/24.  The WAN is 1.1.1.1/32 (actually its on a /24 bridged DSL).  The OPT1 is 2.2.2.2/29 that is routed to 1.1.1.1 (i know this works because it works on just a regular router).  WAN is plugged into my DSL Modem, LAN and OPT1 are plugged into a 24 port switch.

Here is my problem currently:
LAN can talk to WAN, and WAN can talk to LAN, but neither can talk to OPT1.
The IP configuration of OPT1 is as follows:

Enabled
Type:  Static
Bridged with:  NONE
IP Address:  2.2.2.2 /29
Gateway:  None (i figured the machine just sets a default 0.0.0.0 0.0.0.0 1.1.1.1 static route yes?)

My routes look like this:

default 206.207.111.1 UGS dc4
10/24 link#1 UC dc0
127.0.0.1 127.0.0.1 UH lo0
206.207.109.80/29 link#2 UC dc1
206.207.109.82 00:0e:08:aa:9b:c1 UHLW dc1
206.207.111 link#5 UC dc4
206.207.111.1 00:03:32:2e:e4:54 UHLW dc4

My firewall rules:

Proto  Source  Port  Destination  Port  Gateway  Description

• OPT1 net * * * *  
  *      OPT1 net * LAN net * * OPT1 --> LAN
• LAN Net * OPT1 net * * LAN  --> OPT1

What am I missing.  The device 206.207.109.82 cannot be reached by the LAN and it can't get out past the router or vice versa.  Anyone know?  Do i have to bridge something?  I have ARP suppressed since both OPT1 and LAN share the same physical switch.

Help please!

hoba

@hoba:

2 Options:

…

or

Add Virtual IPs type "other" to your WAN Interface and add portforwards and firewallrules for them. If other doesn't work use type "proxyArp" but I guess "other" should work for this.

If you connect both to the same switch anyway you probably want to use the second option. However your current setup should work. What puzzles me a bit is your firewallrule paste. Are these rules all at the same interface tab? If yes this is wrong. If not please provide the interfaces the rules belong to.

maeltor

@hoba:

If you connect both to the same switch anyway you probably want to use the second option. However your current setup should work. What puzzles me a bit is your firewallrule paste. Are these rules all at the same interface tab? If yes this is wrong. If not please provide the interfaces the rules belong to.

Hi Hoba,

No the first 2 are on the OPT1 interface, the last one is on the LAN interface, but that shouldn't matter because what i'm having problems with is the public IP subnet traffic passing out through the WAN interface.  Do I have to add a firewall rule on the WAN interface passing traffic from OPT1 –> *.  Wouldn't I do that on the OPT1 interface tab.

This leads me to another question.  Once I figure this part out, where DO i add filtering rules for the OPT1 interface; at the WAN, or at the OPT1 tabs?

hoba

Traffic is always filtered incoming at an interface, so you got your rules right. Filtering traffic from OPT1 subnet has to happen on the OPT1 tab therefor. Any chance you are running a pfSense 1.0? This version had a bug where sometimes filterrules have not been applied on changes and you had to reboot. Upgrade to 1.0.1 or the latest snapshot ( http://snapshots.pfsense.com/FreeBSD6/RELENG_1/ ) if this is the case.