Routing of the public ip to the switch in pfsense.

MarcioFsantos

Greetings to the board staff, I'm new here and I will ask a help

I am studying the pfsense and liked that solution too, but I have a question:

We assume that the topology is:

Edge Router with CISCO BGP –-> pfSense ---> Layer 3 Switch ---> Web Servers

I want to use pfsense for an edge firewall for certain blocks, bandwidth control and IPS.

The router:
interface GigabitEthernet0 / 1
ip address 10.40.40.1/30

in pfSense
WAN 10.40.40.2/30
LAN 10.50.50.1/30

switch
10.50.50.2/30 in VLAN 1 = default

I remember that on router and switch are published for public ips, my doubt how do the routing of the public ip to the switch in pfsense.

I thank the community!

MarcioFsantos

All web servers are configured with public ips and accessed via the Internet

phil.davis

Firstly, do you really need the Layer3 switch (router) behind pfSense? It would be easier if the LAN with web servers is directly attached to pfSense. (or is it many LANS?)
You will need to add a gateway on pfSense LAN to Layer 3 switch 10.50.50.2, and static route/s telling pfSense what is reachable through 10.50.50.2
Since the whole network behind the Cisco is hidden from public internet view, you will need to put port forwards on the Cisco to forward the public IPs to the appropriate internal web server IPs.
I think you could also disable NAT on pfSense, tell the Cisco about all the networks that are reachable through pfSense WAN, and port forward directly from the Cisco to the Web servers. pfSense WAN would just need firewall rules on WAN to open the things you want to open. pfSense can then control bandwidth… of all the traffic flowing through it. For any outgoing things from the Web servers, if the Cisco knows about those networks then it could do the NAT.

MarcioFsantos

Remember that web servers are configured with public ips.

Are apache, mysql, email, and etc …

In this scenario we have the public ip on the servers so we will not have NAT hiding the internal network.

I am not knowing how to make the setting to receive my switch ips.

eg the topology without pfsense with only the router and switch

within the router I put the following configuration

ip route 10.50.50.2 255.255.255.0 xxx.xxx.xxx.xx

Thus I do make my router to route to switch ips.

MarcioFsantos

For me to route the public ips from the router to the switch by pfsense does use this option?
http://doc.pfsense.org/index.php/Static_Routes

MarcioFsantos

Or I use the option virtual ips?
http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F