Multiple public IP's to L2 switch with vlans

  • Hello,
    I've been using pfSense for my home network for a while but now I have to set it up to support multiple networks. My ISP has provided me with 5 static IP's with /29 subnet mask and a gateway as the 6th IP in the same subnet. My environment has a pfSense box (Intel MB, core i3 G620 2.6GHz w/4GB RAM, 3 NICs 2 - GB, 1 - 100MB)  connected to a Cisco SG200-26 L2 switch and a vmware esxi4.1 host with 6 NICs (5, 1 is used for iSCSI).

    I'm not sure of the terms but conceptually, what I'm trying to do is to setup 3 customers (A,B,C) to have OpenVPN remote access to their VMs and also host a mail server (Zimbra) in a DMZ (or an isolated vlan). Additionally, I'd like to have site-to-site VPN to each of their offices (1 for each client). Plus I have a few NAS's that I'd like to use for storage and backup storage which I'd like to be accessible from all the different networks/VMs so I thought I'd create a separate vlan and enlist it in each of the vlans so I can nfs mount the shares?

    client A –-> WAN IP 1 ---> [pfSense 2.0] –-> vlan10 ---> 10.0.10.x
    client B ---> WAN IP 2 ---> [pfSense 2.0] –-> vlan20 ---> 10.0.20.x

    Between the vlan configuration on the cisco and the multiple IP setup on the pfSense I'm thoroughly confused and I would appreciate any advice or guidance in setting this up.

    Thanks in advance!

  • Wow! I'm surprised that no one has had any suggestions.
    Anway, I managed to set it up by creating a set of VIPs and NAT rules for each subnet. I was also able to setup the VPN to route to one of the internal networks.

    I have, however, noticed a couple of issues with this setup:
    1. I can reach other subnets from one another, even though the switch port only allows tagged frames. So it seems to be pfSense that's allowing traffic from one vlan into the others. I suppose I could add firewall rules to prevent that but isn't that the whole point of creating vlans?

    2. The VPN certs that are generated have the WAN IP address and I don't see how to specify the VIP address for it. So the remote users are coming in on the wrong IP and then routing to the correct internal VLAN.

    So if anyone knows how to remedy the above issues please let me know.


  • Answering only the first, do you have set these kind of rules to your vlan's?
    from vlan-subnet (or any) to any

    If yes then problem is your rule sets. you can create such alias called localnetworks and add all local networks to that alias.
    Then add this rule to your vlans

    block from vlan subnet (or any) to "local networks" and make sure that this rule is above any other rule.

Log in to reply