Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FireWALL and ISP addressing config is it possible and reccomended

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tbaror
      last edited by

      Hello All,

      I have just moved to new ISP and need to have 24bit address space,
      The ISP proposed that the internal LAN and external FW leg will be in the same address space , when i used to have completely different IP for external FW leg
      My question how Pfsense will behave in such config will he not have issues to impose ACL rules and is such config is recommended at all?
      attached to this mail before and after diagram
      Please advice

      Thanks

      BEFORE_IP_ISP.png
      BEFORE_IP_ISP.png_thumb
      new_config_ISP.png
      new_config_ISP.png_thumb

      1 Reply Last reply Reply Quote 0
      • T
        timthetortoise
        last edited by

        Were you given a /24 block from your ISP? If not, your internal network should be in a private address space (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12). Generally your router to internet link will have a /30 address, but that all depends on your ISP's modem configuration.

        1 Reply Last reply Reply Quote 0
        • T
          tbaror
          last edited by

          @timthetortoise:

          Were you given a /24 block from your ISP? If not, your internal network should be in a private address space (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12). Generally your router to internet link will have a /30 address, but that all depends on your ISP's modem configuration.

          Yes we are given full 24bit network that all IP's are valid (we need it ) but what i am worry about and argue is that my isp is forcing me to have incide LAN and external fW leg have same IP subnet range ,as is posted in diagram attached, that is my doubt how Pfsense is enforcing such config is it something that accepted ?

          LAN108.X.X.X/24>108.x.x.1(internal leg)FW Pfsense (external leg)108.x.x.2> ISP router (not in our building)>Internet

          1 Reply Last reply Reply Quote 0
          • N
            nothing
            last edited by

            That's dangerous proxyarp game :)

            1 Reply Last reply Reply Quote 0
            • T
              timthetortoise
              last edited by

              @tbaror:

              @timthetortoise:

              Were you given a /24 block from your ISP? If not, your internal network should be in a private address space (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12). Generally your router to internet link will have a /30 address, but that all depends on your ISP's modem configuration.

              Yes we are given full 24bit network that all IP's are valid (we need it ) but what i am worry about and argue is that my isp is forcing me to have incide LAN and external fW leg have same IP subnet range ,as is posted in diagram attached, that is my doubt how Pfsense is enforcing such config is it something that accepted ?

              LAN108.X.X.X/24>108.x.x.1(internal leg)FW Pfsense (external leg)108.x.x.2> ISP router (not in our building)>Internet

              You don't need to have your internal network on the same range. 1:1 NAT will work fine for your scenario, and I would highly recommend not doing what the ISP is recommending (I assume it's only a recommendation, and not a requirement from them). There is no reason to have your internal network on your public address space.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.