CIDR setup

  • I never setup a CIDR block before, and only setup a pfsense once.  No expert here in this.  I have a client that needs a CIDR block to accommodate their, and their tenets needs.  Line comes in to modem, then a NetGate appliance running pfsense.  Ip structure is as follows:

    Slight changes to avoid tempting the hackers.

    WAN IP
    WAN G/W

    CIDR info

    1st useable
    last useable

    If each one of these ip's will have it's own firewall on each of the useable ip's, what is the simplest way to setup this pfsense to let all traffic through.  I need each address to show as itself for the purposes of reverse dns, and I need to be able to open all ports to each ip so I can setup their own services, RWW, etc.  Please keep it simple for stupid, me. I got the WAN part, is it better to do this through the LAN or OPT, and what are the specific settings.


  • is getting routed to or is it a completely separate connection or IP range?

  • The ranges are completely seperate, we're routing thru.  The wan number is the ip that shows to the ISP, the CIDR numbers are the local networks.  I need to route thru the pfsense so that the ips in the CIDR show on the internet to match reverse dns. etc., and I need all ports to each ip since they all have their own firewalls after that.

  • Sounds like you have live internet IPs on the systems behind pfSense. If that is the case, turn off automatic outbound NAT and remove all rules that apply to internet routable networks.

  • Ok, do i add the entire .160/28 to the LAN or OPT.  Or do i assign .161 to the LAN and then what?  Once setup, what do I need to do to allow inbound and outbound traffic to the CIDR ip's.  Total newbie to this system.  Thanks!

  • Sorry if I am being vague .. You have not provided enough details on what exactly you are trying to accomplish … There are MANY options available. It looks like your ISP is routing to for you to use your pfSense to continue processing. If they are not, then you are going to have to setup differently. You answered that question negatively, but when describing what you want to do ... it reads like that is not the case you have a routed solution going on.
    Can you clarify that any? If you are unsure, please talk to your ISP and they will let you know. It strongly determines how you are going to complete setup.
    Just so that you know, it sounds like you are setting up a DMZ (in opt1) with live IPs for servers and have a LAN for everything else.

  • Sorry for the confusion.  Yes they are routing .160/28 to .178, and the pfsense just needs to allow those ip's full access in and out, with no NAT.  There will be nothing on the LAN, just a switch on the OPT and then routers with the static address .162-.174.

  • okay … then setup OPT1 with .161 and then routers with 162 on. turn off auto NAT and switch to manual. It will auto create rules for LAN and OPT1. If you switch to manual before you setup opt1, you will not have to remove any rules. Once you have NAT turned off for the OPT1 subnet, you just have to create rules to allow traffic. You will not have to setup 1:1 or port forwards, just rules. All you devices in OPT1 will use .161 as their default gateway. Don't forget to set an allow out rule on OPT1. I would set it to allow any protocol on any port to any destination/port (a wide open rule) so that you can properly test before locking it down.

  • Thanks, Ill setup and take to location in a few hours for testing.  Ill let you know.

Log in to reply