Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing my own subnet

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 3 Posters 999 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      SteffanCline
      last edited by

      I'm new to this and still tinkering. Is it possible to route my own subnet with pfSense? What I mean is, can pfSense be a router for global IPs? I have a block of IPs that my ISP routes for me. I want to use pfSense as my router and firewall all in one where I can use my global IP range behind the firewall instead of using NAT etc. The idea is that I will have a VM host behind the firewall that will spin up new VMs drawing from a global IP range that will be protected via the firewall. Also, I see that snort is available for this too. I saw on another product where they had a 3rd party module that would adjust the ipfw rules based on the snort logs.

      Any examples of this would be appreciated!!

      1 Reply Last reply Reply Quote 0
      • T Offline
        timthetortoise
        last edited by

        This should still be relevant for 2.1.

        Missing disable NAT link.

        1 Reply Last reply Reply Quote 0
        • S Offline
          SteffanCline
          last edited by

          This is great. I'll give it a shot. Is there anything like Guardian for other ipfw that watches the snort logs and adjusts the ipfw rules?

          1 Reply Last reply Reply Quote 0
          • D Offline
            dreamslacker
            last edited by

            Absolutely. Your isp will issue you two network address blocks. A single ip for your 'wan' and the public block.
            All traffic to the public block is forwarded to the wan ip. How you deal with it is up to you.

            You can use the entire subnet on an interface such as lan. You can even split it up.
            E.g.
            Your ISP issues you 10.0.0.2/ 30 for wan (with gateway 10.0.0.1) and a block of addresses: 20.0.1.16 to 20.0.1.31.
            You then assign 10.0.0.2 as static on wan with gateway 10.0.0.1.

            Now, you can assign the entire block to lan.  So that lan is 20.0.1.17. Your clients can then use 20.0.1.18 to 20.0.1.30 as valid addresses with gateway as 20.0.1.16.
            Go to outbound Nat, set to manual and do not Nat anything except the pfsense internal loopback address to Wan ip.  You then add the firewall rules to permit/ block traffic as required.

            Alternatively, you can split the block into 2. You can then attach 20.0.1.16 - 20.0.1.23 as virtual ips to wan. These can be used as Nat addresses for other interfaces.

            Assuming you have a private LAN as 192.168.1.0/ 24 for internal use.

            You then assign 20.0.1.25 to say, opt1 interface. Your servers attach to Opt1 and can use 10.0.1.26-10.0.1.30.

            In this case, you need to make sure that outbound Nat is set to manual mode.
            You NAT 192.168.1.0/ 24 network to 20.0.1.16 (or any of the other virtual IPs you've assigned to WAN).
            Do not NAT 20.0.1.24/ 29 at all.  This will ensure that 20.0.1.24/ 29 network (your server network) is routed rather than NAT'ed.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.