FireWALL and ISP addressing config is it possible and reccomended



  • Hello All,

    I have just moved to new ISP and need to have 24bit address space,
    The ISP proposed that the internal LAN and external FW leg will be in the same address space , when i used to have completely different IP for external FW leg
    My question how Pfsense will behave in such config will he not have issues to impose ACL rules and is such config is recommended at all?
    attached to this mail before and after diagram
    Please advice

    Thanks






  • Were you given a /24 block from your ISP? If not, your internal network should be in a private address space (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12). Generally your router to internet link will have a /30 address, but that all depends on your ISP's modem configuration.



  • @timthetortoise:

    Were you given a /24 block from your ISP? If not, your internal network should be in a private address space (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12). Generally your router to internet link will have a /30 address, but that all depends on your ISP's modem configuration.

    Yes we are given full 24bit network that all IP's are valid (we need it ) but what i am worry about and argue is that my isp is forcing me to have incide LAN and external fW leg have same IP subnet range ,as is posted in diagram attached, that is my doubt how Pfsense is enforcing such config is it something that accepted ?

    LAN108.X.X.X/24>108.x.x.1(internal leg)FW Pfsense (external leg)108.x.x.2> ISP router (not in our building)>Internet



  • That's dangerous proxyarp game :)



  • @tbaror:

    @timthetortoise:

    Were you given a /24 block from your ISP? If not, your internal network should be in a private address space (192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12). Generally your router to internet link will have a /30 address, but that all depends on your ISP's modem configuration.

    Yes we are given full 24bit network that all IP's are valid (we need it ) but what i am worry about and argue is that my isp is forcing me to have incide LAN and external fW leg have same IP subnet range ,as is posted in diagram attached, that is my doubt how Pfsense is enforcing such config is it something that accepted ?

    LAN108.X.X.X/24>108.x.x.1(internal leg)FW Pfsense (external leg)108.x.x.2> ISP router (not in our building)>Internet

    You don't need to have your internal network on the same range. 1:1 NAT will work fine for your scenario, and I would highly recommend not doing what the ISP is recommending (I assume it's only a recommendation, and not a requirement from them). There is no reason to have your internal network on your public address space.


Log in to reply