I'm planning to modify my existing pfSense installation which has one WAN interface on a static public IP and one LAN interface online with an RFC 1918 address scheme. I have a 26 bit block of addresses to work with and want to subnet to provide 3 discreet DMZ's. The proposed address scheme is as follows…
WAN interface on xxx.xxx.xxx.66/28 my WAN subnet would be from .65 to .79.
The first DMZ would be .80/28 and the range would be .81-.94 with a broadcast address of .95.
The second DMZ would be .96/28 and the range would be .97-.110 with a broadcast address of .111.
The third DMZ would be .112/28 and the range would be .113-.126 with a broadcast address of .127.
My question is should I use a 26 bit mask at the WAN interface or a 28 bit mask? My thought is the 28 bit mask as I can't have 2 interfaces on the same network, but want to make sure that I'm correct before I make any changes.
- TIA, Toz
GruensFroeschli last edited by
Definitly a /28 or you would, like you said, have 2 interfaces on the same subnet.
Just be sure that your gateway of WAN lies within its /28.
Alternatively you could have /26 on WAN, and your DMZ's are in a private IP range.
Then you create a Virtual IP for every server and 1:1 NAT the VIP's to the private IP's
With the second solution you wont loose the IP's you need for broadcast/netId and router IP's.
with 3 DMZ's thats already 9 IP's.
(id, broadcast, router per subnet)
That's what I thought - thanks for the verification. My gateway is at .65 so it's on the same subnet as the WAN interface. I can't use a 1:1 NAT (like I am now) because I have a mail server running in one of the DMZ's and I've had mail rejected because RDNS fails since the header says the originating IP is 192.168.xxx.xxx.