Routing Internet IPs to correct NIC

  • My ISP has given me a subnet of 8 routable IP addresses that I will use for some websites I host.  I've got a pfSense box setup with 3 NICs and I need a little bit of newb help to get it configured. I've looked at all of the tutorials and either I'm looking in the wrong place or my question isn't covered. So this is what I want to do:

    NIC 1 - connects to my ISP, gets its IP address from their DHCP.  This works easy as pie no help needed.

    NIC 2 - connects to my internal LAN, provides NAT and DHCP.  This is working too, no help needed.

    NIC 3 - connects to my web servers network.  It needs 2 way communication with NIC2, does not need NAT or DHCP, and I need help

    My ISP has given me the following information:  
       Network IP
       Gateway IP
       Usable IPs -
       Broadcast IP
       Subnet mask /29

    Specifically what address do I give to NIC3 does it get the network or gateway or a usable IP address?  Or is there something else I'm missing?

    (further clarification: NIC 2 the, internal LAN, needs the typical fire-walled access to the internet and completely unfettered access to the NIC 3 network.  NIC 3 needs to keep the traffic coming from the internet on that network and not allow it access to the internal NIC2 LAN.  Since the web hosts have their own security anything provided by pfSense is nice but not critical)

  • Your ISP is giving you a standard setup with a gateway and all. This would be a standard NAT setup. This is may not be what you want. You have 3 options. First, you can set up nic3 like a DMZ or LAN. Give it a private address and the setup 1:1nat and routing between the DMZ and LAN. Or you can setup a routed solution. This is the way I would recommend. Basically you have to get your ISP to route your ip range to your wan address. Then you only need to assign opt1 the gateway address they gave you and the each server behind it will use the settings like the ISP gave you. The 3rd way is to bridge wan and opt. Then each server will be assigned like the way your ISP sent you. Opt will not have an IP address.

  • OK that's the ticket.  I was close to right, but I was missing the firewall rules. Apparently the default is no rules are created for OPT1.  With the help of this post I got talking to the internet. Yeah!  But my DMZ could talk to the local LAN so I added another rule to stop that.

    ID  Proto      Source    Port    Destination    Port    Gateway    Queue    Schedule    Description
            *        OPT1 net  *        LAN net          *            *          none                      Block access to the internal LAN 
            *        OPT1 net  *            *              *            *          none                      Default allow LAN to any rule

    The first rule blocks access the the internal LAN and the second allows access to the outside.  I still need to add a rule to allow the WAN to access OPT1.  (it's late for me I'll look for that tomorrow.  Firewall rules are new to me ??? ) Am I on the right track with this?

    BTW my ISP is routing to my WAN address so this should be fairly simple to complete.

  • Seems like you are on the right track for a routed solution. The wan rules are where the fun is anyways.

  • Would it not be easiest to just assign 1 IP to the WAN interface and then create Virtual IP's and NAT set ups to point to the internal LAN IP's and be done with it?