Need help to configure a routing pfSense Box without NAT

viniciusferrao · Sep 11, 2012, 8:22 PM

Hello People,

I'm trying to setup a pfSense box to takeover on firewalling and routing.

Here is my actual scenario:

WAN –> MyFirewallBox --> Nortel Layer3 Switch with Routing --> MySubnets.

All my subnets have real IP addresses, the FirewallBox runs an Old Linux with some kind of legacy gated for static leases for the /26 subnets.

So I've questions and I'm accepting suggestions on how to reimplement this. Here are my considerations:

1. I don't need NAT. Not at this time, but I would like to use it later. Perhaps I'll need some VLANs?
2. I don't know with my FirewallBox runs this gated... I can post the configuration here if needed.
3. Should my pfSense Box do the routing instead of the Nortel?
4. There's another Layer3 router serving other subnets.
5. Should I increase the network range to something more aggressive, like /22 or /20?
6. My public IP's: (Sorry for masquerading initial octets)

    xxx.yyy.36.0 /24
    xxx.yyy.37.0 /24
    xxx.yyy.40.0 /24
    xxx.yyy.136.0 /24
    xxx.yyy.137.0 /24
    xxx.yyy.138.0 /24
    xxx.yyy.139.0 /24
    zzz.www.244.0 /24 (Offline at this moment)

How my infrastructure works: the client A have an IP address of xxx.yyy.37.11; the connection go through the scheme:

Client A –---> Nortel Layer 3 (multiple IP addresses) -----> MyFirewall -----> WAN.

I'm trying to understand everything, I already got this infra ready and I want to understand it better and put better software to manage this. So basically I just want some advices on how to configure pfSense to do routing and firewalling without NAT. And in the future when I need NAT what are the requirements to do this? Do I need another network interface only for NAT clients? May I set some VLAN to those?

Thanks for any help and sorry for english mistakes.

johnpoz · Sep 11, 2012, 8:29 PM

To completely disable NAT to have a routing-only firewall, do the following.

Go to the Firewall -> NAT page, and click the Outbound tab.
Select the option "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))" and click Save.
Remove all automatically generated NAT rules at the bottom of the screen.
Apply changes

To completely disable NAT and all firewall function from all interfaces, do the following. Note that you will skip the previous section ("Disable NAT") when taking this approach.

Go to the System: Advanced page and click the Firewall / NAT tab.
Check the box to "Disable Firewall / Disable all packet filtering."
Save changes.

http://doc.pfsense.org/index.php/Outbound_NAT

viniciusferrao · Sep 11, 2012, 8:41 PM

@johnpoz:

To completely disable NAT to have a routing-only firewall, do the following.

Go to the Firewall -> NAT page, and click the Outbound tab.
Select the option "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))" and click Save.
Remove all automatically generated NAT rules at the bottom of the screen.
Apply changes

To completely disable NAT and all firewall function from all interfaces, do the following. Note that you will skip the previous section ("Disable NAT") when taking this approach.

Go to the System: Advanced page and click the Firewall / NAT tab.
Check the box to "Disable Firewall / Disable all packet filtering."
Save changes.

http://doc.pfsense.org/index.php/Outbound_NAT

I'm aware of this documentation. But I can't put it to work correctly. As example I can't find the right place to define the static routes.

johnpoz · Sep 11, 2012, 8:47 PM

system -> routing - routes

stephenw10 · Sep 11, 2012, 10:04 PM

Looking at your diagram it seems more likely that your existing device is configured as transparent firewall.
Does that seem possible?

Steve