Routing my own subnet



  • I'm new to this and still tinkering. Is it possible to route my own subnet with pfSense? What I mean is, can pfSense be a router for global IPs? I have a block of IPs that my ISP routes for me. I want to use pfSense as my router and firewall all in one where I can use my global IP range behind the firewall instead of using NAT etc. The idea is that I will have a VM host behind the firewall that will spin up new VMs drawing from a global IP range that will be protected via the firewall. Also, I see that snort is available for this too. I saw on another product where they had a 3rd party module that would adjust the ipfw rules based on the snort logs.

    Any examples of this would be appreciated!!





  • This is great. I'll give it a shot. Is there anything like Guardian for other ipfw that watches the snort logs and adjusts the ipfw rules?



  • Absolutely. Your isp will issue you two network address blocks. A single ip for your 'wan' and the public block.
    All traffic to the public block is forwarded to the wan ip. How you deal with it is up to you.

    You can use the entire subnet on an interface such as lan. You can even split it up.
    E.g.
    Your ISP issues you 10.0.0.2/ 30 for wan (with gateway 10.0.0.1) and a block of addresses: 20.0.1.16 to 20.0.1.31.
    You then assign 10.0.0.2 as static on wan with gateway 10.0.0.1.

    Now, you can assign the entire block to lan.  So that lan is 20.0.1.17. Your clients can then use 20.0.1.18 to 20.0.1.30 as valid addresses with gateway as 20.0.1.16.
    Go to outbound Nat, set to manual and do not Nat anything except the pfsense internal loopback address to Wan ip.  You then add the firewall rules to permit/ block traffic as required.

    Alternatively, you can split the block into 2. You can then attach 20.0.1.16 - 20.0.1.23 as virtual ips to wan. These can be used as Nat addresses for other interfaces.

    Assuming you have a private LAN as 192.168.1.0/ 24 for internal use.

    You then assign 20.0.1.25 to say, opt1 interface. Your servers attach to Opt1 and can use 10.0.1.26-10.0.1.30.

    In this case, you need to make sure that outbound Nat is set to manual mode.
    You NAT 192.168.1.0/ 24 network to 20.0.1.16 (or any of the other virtual IPs you've assigned to WAN).
    Do not NAT 20.0.1.24/ 29 at all.  This will ensure that 20.0.1.24/ 29 network (your server network) is routed rather than NAT'ed.


Log in to reply