Routing my own subnet

  • I'm new to this and still tinkering. Is it possible to route my own subnet with pfSense? What I mean is, can pfSense be a router for global IPs? I have a block of IPs that my ISP routes for me. I want to use pfSense as my router and firewall all in one where I can use my global IP range behind the firewall instead of using NAT etc. The idea is that I will have a VM host behind the firewall that will spin up new VMs drawing from a global IP range that will be protected via the firewall. Also, I see that snort is available for this too. I saw on another product where they had a 3rd party module that would adjust the ipfw rules based on the snort logs.

    Any examples of this would be appreciated!!

  • This is great. I'll give it a shot. Is there anything like Guardian for other ipfw that watches the snort logs and adjusts the ipfw rules?

  • Absolutely. Your isp will issue you two network address blocks. A single ip for your 'wan' and the public block.
    All traffic to the public block is forwarded to the wan ip. How you deal with it is up to you.

    You can use the entire subnet on an interface such as lan. You can even split it up.
    Your ISP issues you 30 for wan (with gateway and a block of addresses: to
    You then assign as static on wan with gateway

    Now, you can assign the entire block to lan.  So that lan is Your clients can then use to as valid addresses with gateway as
    Go to outbound Nat, set to manual and do not Nat anything except the pfsense internal loopback address to Wan ip.  You then add the firewall rules to permit/ block traffic as required.

    Alternatively, you can split the block into 2. You can then attach - as virtual ips to wan. These can be used as Nat addresses for other interfaces.

    Assuming you have a private LAN as 24 for internal use.

    You then assign to say, opt1 interface. Your servers attach to Opt1 and can use

    In this case, you need to make sure that outbound Nat is set to manual mode.
    You NAT 24 network to (or any of the other virtual IPs you've assigned to WAN).
    Do not NAT 29 at all.  This will ensure that 29 network (your server network) is routed rather than NAT'ed.

Log in to reply