Basic Question - Gateway of ISP and pfsense on same subnet

PfChris

Hi,
I have purchased a /27 Network (x.x.x.128/27) for my V-Server.
My ISP told me, that i should use the .129 as default gateway (which is inside the same subnet)
I would give my pfSense the .130 IP.
But all my Clients should be behind the pfsense - before i got a Transfer IP and created the network on the pfsense, giving the Clients the pfsense as default-Gateway forcing all the clients through the Firewall.

I don't want my ISP to be able to get into my Network - how can i lock the .129 IP out but forcing my Clients through the pfSense? Do I tell the Clients that the pfsense is the default gateway? Will the pfsense let me create 2 "Adapters" with the same "network"?

Thank you for your help

Derelict

Are they routing the /27 to another IP address you already have or is that your WAN network?

PfChris

the /27 is my WAN-Network.

I thought of giving the pfsense all IP's from the /27 Network and then create a "private" LAN (like 10.10.10.0/24) and perform NAT for the Servers.
This way i can open only the Ports i need from my management IP's "locking" the ISP out, right? I just don't want the ISP to be able to bruteforce my ILO-Module (I know this is paranoia but I just don't want it even to be possible)

Derelict

You'd have a lot more flexibility if they'd give you a /30 then route the /27 your address on that.

Derelict

@PfChris:

the /27 is my WAN-Network.

I thought of giving the pfsense all IP's from the /27 Network and then create a "private" LAN (like 10.10.10.0/24) and perform NAT for the Servers.
This way i can open only the Ports i need from my management IP's "locking" the ISP out, right? I just don't want the ISP to be able to bruteforce my ILO-Module (I know this is paranoia but I just don't want it even to be possible)

Your pfSense can dictate what connections are allowed into your network regardless of the IP scheme of your WAN network.

If you have a /27 and create VIPs on your WAN for all those addresses, only connections to local pfSense WAN addresses that are explicitly allowed by your firewall rules will be passed by pfSense.

If you put IMPI on your WAN and it listens, bypassing your firewall, then that's not something pfSense can control.

PfChris

I asked them if I could get a "Transfer" space - but they said that this is not possible…

I thought of this:

WAN / Internet
            :
            :
      .-----+-----.
      |  Gateway  | 
      '-----+-----'
            |
            | (89.163.211.129/27)
            |
            |
            |
            |
            |
            |
        WAN | IP or Protocol
            | (89.163.211.130/27) --> the sense
            | (89.163.211.131-158/27) --> the VIP-Adresses
            |
      .-----+-----.  priv. DMZ                          priv. DMZ  .------------.
      |  pfSense  +-------------------------------------------------+ DMZ-Server |
      '-----+-----'  172.16.16.1/24            172.16.16.2-254/24  '------------'

This way I can control what enters my DMZ-Servers and what shall not pass.