PfSense in front of two VLANs, one public, one private



  • (I'm posting this in the "NAT" forum, though I'm not entirely sure that's appropriate…  absolutely no offense taken if mods want to move this)

    We have a cabinet in a datacenter where we have a /27 IP allocation and several boxes that need to be accessible via their currently-assigned public IP.  We also have a handful of boxes that do not necessarily need public IP's.  For various reasons I'm trying to move everything behind our newly-installed pfSense box.

    So far, I've successfully set up a VLAN that I'm happy with for the private IP's, with access to each other, the internet, etc.

    However, I'm struggling with providing "pass-through" (plus pfSense firewall filtering goodness) access to the block of public machines.  I've tried various combinations of IP aliases, 1:1 NAT mapping, etc. but I could never get to the point where I could access the internet (or even ping the gateway) from a machine with a statically-assigned public IP behind the pfSense box.

    There's an awful lot of apparently old/outdated info out there from my various forum/Google searches...  can someone let me know what my approach should be here?

    I'm looking for the "right" solution, so if that means picking up another box or sprouting another physical interface, please do let me know that as well!

    Thanks in advance!


  • LAYER 8 Netgate

    Can the datacenter provider assign a /30 for your WAN interface and route the /27 to it?  That'd be a lot cleaner.

    Otherwise: from the pfSense book (I hope it's okay to cut and paste small excerpts):

    Single IP subnet
    With a single public IP subnet, one of the public IPs will be on the upstream router, commonly belonging to your ISP, with one of the IPs assigned as the WAN IP on pfSense. The remaining IPs can be used with either NAT, bridging or a combination of the two. To use them with NAT, add Proxy ARP, IP alias or CARP Virtual IPs. To assign public IPs directly to hosts behind your firewall, you will need a dedicated interface for those hosts that is bridged to WAN. When used with bridging, the hosts with the public IPs directly assigned must use the same default gateway as the WAN of the firewall, the upstream ISP router. This will create difficulties if the hosts with public IPs need to initiate connections to hosts behind other interfaces of your firewall, since the ISP gateway will not route traffic for your internal subnets back to your firewall.


Log in to reply