Cisco Ip route & public IPs on LAN



  • I've been googling for some time now and the hits I keep getting are for traditional NAT with multiple VIPs doing 1:1 NAT to private IPs.

    My scenario, is a bit different here

    Background:
    We take a single public /30, and route another set of public IPs to it, and set those public IPs on the LAN side. We utilize Centos iptables to handle filtering and routing.

    Because the lower level staff incessantly have trouble with the command line arguments in linux we were looking into solutions that have a web GUI interface…hence why I'm here.

    In anycase, as said before we take a public /30 block, then route another set of public to it. The /30 is assigned to the wan ip of the firewall and the second set of IPs are placed on the LAN. So visually it looks like this:

    ISP-->209.2.2.1(Cisco gateway)-->209.2.2.2/30(firewall wan)--> \ 209.2.10.1/28(LAN gateway)
                                                                                                            |-- \ 209.2.10.2/28(LAN)
                                                                                                            |-- \ 209.2.10.3/28(LAN)

    Any traffic destined for the 209.2.10.x/28 ip space is routed to the wan interface of the firewall at 209.2.2.x/30, from there, the firewall will filter that traffic, then directly forward it to the LAN side where servers are configured with the 209.2.10.x ip space. One of the LAN interfaces on the firewall is configured as a gateway for the ip routed subnet(209.2.10.x/28)

    Does this setup sound familiar to anyone? And can someone point me to documentation for this configuration in pfsense sense? There is not NAT in this scenario it's straight packet forwarding. This way, the servers behind the firewall can be configured with public ip space and still gain benefits of having a firewall protecting them...and eliminates the use of NAT.

    For CentOs the setup is easy

    • assign the firewall a single public ip
    • route a second, larger set of public IPs to the firewalls ip
    • set centos up for packet forwarding
    • assign one of the second set of public IPs as the LAN gateway
    • attached a layer 2 switch to that LAN gateway interface
    • configure servers with the second public ip set and make them use the LAN gateway.

  • Rebel Alliance


Log in to reply