Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IP Subnetting

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Toz
      last edited by

      I'm planning to modify my existing pfSense installation which has one WAN interface on a static public IP and one LAN interface online with an RFC 1918 address scheme. I have a 26 bit block of addresses to work with and want to subnet to provide 3 discreet DMZ's. The proposed address scheme is as follows…

      WAN interface on xxx.xxx.xxx.66/28 my WAN subnet would be from .65 to .79.
      The first DMZ would be .80/28 and the range would be .81-.94 with a broadcast address of .95.
      The second DMZ would be .96/28 and the range would be .97-.110 with a broadcast address of .111.
      The third DMZ would be .112/28 and the range would be .113-.126 with a broadcast address of .127.

      My question is should I use a 26 bit mask at the WAN interface or a 28 bit mask? My thought is the 28 bit mask as I can't have 2 interfaces on the same network, but want to make sure that I'm correct before I make any changes.

      • TIA, Toz
      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Definitly a /28 or you would, like you said, have 2 interfaces on the same subnet.
        Just be sure that your gateway of WAN lies within its /28.

        Alternatively you could have /26 on WAN, and your DMZ's are in a private IP range.
        Then you create a Virtual IP for every server and 1:1 NAT the VIP's to the private IP's

        With the second solution you wont loose the IP's you need for broadcast/netId and router IP's.
        with 3 DMZ's thats already 9 IP's.
        (id, broadcast, router per subnet)

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • T
          Toz
          last edited by

          That's what I thought - thanks for the verification. My gateway is at .65 so it's on the same subnet as the WAN interface. I can't use a 1:1 NAT (like I am now) because I have a mail server running in one of the DMZ's and I've had mail rejected because RDNS fails since the header says the originating IP is 192.168.xxx.xxx.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.