Setup for three public netblocks, single WAN and two LANs. No NAT at all.

  • Hello,

    I'm evaluating version 2.0.1 of pfSense as a replacement for my edge gateway/firewall, and I have searched the forums/googled for posts that talk about a setup in 2.0.1 that is similar to what I am attempting to do without much luck so far.  I'm in somewhat of a time crunch, so I'm going to ask here.  My apologies if I have missed any posts or docs that would help here.  Here's my setup:

    Currently, I have 3 public netblocks.  A /30 and two /25s. There is no NAT, and there will be no NAT. One of the /30 IPs is on my ISPs side of my circuit, and the other is on my WAN interface.  The two /25 blocks are routed down to my WAN interface.  Currently, I have two ethernet interfaces.  One for the WAN, and the other for the LAN, which has IPs for both public blocks configured, one as an alias (eth0:1).  I have a switch connected to the LAN interface, and it does not support VLANs. I would like to set pfSense up the same way using just two interfaces, however, the new server I'm using has three NICs, so having each /25 on it's own interface is certainly an option.

    So my questions are 1. whether or not I can have both /25 netblocks on one LAN interface, and if so, what the correct way to accomplish that would be, and 2. If it's necessary, or even just better, to have each /25 netblock on it's own interface, what the correct way would be to accomplish that.

    Any help would be greatly appreciated.


  • I'm jealous of your IP ranges. I have a single IP. As you are evaluating pfSense and will wan't to take advantage of it's enhanced security, I would think seriously about redesigning your network.

    Not knowing what you use the internal networks for, or if you deliver any services externally, it's hard to say what you should do.

    NAT offers another layer of security, some flexibility, but a little more complexity, but the benefits outweigh the risk of changing things.

    Your ISP is routing to those /25's for you to /30 IP on your WAN, Yes. So..

    I would probably create a /24 NAT (maybe 10.x.x.x) on your LAN using Private IP's and a different /24 your DMZ (172.x.x.x) and/or Wireless access on your OPT1 interface.
    Put any services you deliver externally in the DMZ and statically NAT any IP's to one of the public /25 IP's that you have. The other IP's I would probably use for internal user services like VPN, PPTP etc.

    This would give you a great deal of flexibility for growth, and security.