Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VLAN without NAT

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      timmerdanny
      last edited by

      At my company we are managing internet facilities for shared business buildings. The business building has several units for hire and all are patched to one central place. Most of the business units are already hired and supplied by an internet connection by us.

      Our current infrastructure is build up of a Fibre WAN ISP, Cisco 3400, Pfsense C2758 and a HP Procurve 48 ports switch. The Cisco 3400 is connected to the Fibre WAN, the Pfsense is connected at one of the Cisco 3400 ports and the HP switch is connected to the Pfsense C2758. Unmanaged customers are connected to one of the Cisco 3400 ports. The Cisco 3400 switch does traffic shaping for unmanaged customers. On the Cisco 3400 switch we assign an external ip address to one of the ports, a customer uses our given/configured  ip/subnet/gateway address for in his own router.

      Managed internet customers are connected to the Pfsense box. All managed customers uses the same external IP address. DHCP/Firewalling is of course done by the Pfsense box.

      We want to upgrade our current ISP contract to a 300mbits connection (currently 100mbits). The problem is that the Cisco 3400 can't handle traffic over 100Mbits. The Pfsense box does have gigabit ports and can handle the traffic from the ISP. We want to remove the Cisco 3400 and connect the Pfsense box directly to the ISP. For the unmanaged customers we want to place a 24 ports switch connected to the Pfsense box. Question is, how do we setup a VLAN for the new switch with an unmanaged connection (NO NAT).

      Our ISP have given the exact external IP address. Three different ranges of IP addresses.

      See in the attachment our network design current and new.

      current.jpg
      current.jpg_thumb
      new.jpg
      new.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • jahonixJ
        jahonix
        last edited by

        You should give details about what you get from your ISP and how you want to distribute that. This is a bit vague and leaves much room for speculations.

        1 Reply Last reply Reply Quote 0
        • T
          timmerdanny
          last edited by

          Thanks for your reply!

          From our ISP we currently have a Internet cable connected into the cisco 3400.
          From the ISP we got three differtent ranges of external ip addresses. When I connect the ISP cable to my computer and I enter an external address manualy in my NIC, I have internet connection.

          We already have 20 VLAN's setup for managed customers, We want to create new VLAN's on the Pfsense box for the current unmanaged customers connected to the Cisco 3400. Every new VLAN must have a different external IP address.

          Sorry for my English :L

          1 Reply Last reply Reply Quote 0
          • jahonixJ
            jahonix
            last edited by

            Nice description.
            And what's not working?

            1 Reply Last reply Reply Quote 0
            • jahonixJ
              jahonix
              last edited by

              Maybe this will help you  https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
              Unless you tell us what you already did and what is not working it is impossible to give advise.

              1 Reply Last reply Reply Quote 0
              • T
                timmerdanny
                last edited by

                I want to create a Virtual IP address 80.234.20.6 allow all incomming traffic and no NAT only route directly to WAN. I have tried it with an ip alias but that is still nat, isn't it?

                1 Reply Last reply Reply Quote 0
                • KOMK
                  KOM
                  last edited by

                  VIP is more like ARP spoofing.  Your interface announces that it is several different IP addresses.  Typically you would use a VIP in conjunction with a port forward to allow external users to access internal resources via different IP addresses.  I do this here.  I have only one WAN and a /28 block.  I use virtual IPs to give a unique IP address to my mail server, web server, FTP server, demo systems, DNS, etc etc.

                  1 Reply Last reply Reply Quote 0
                  • T
                    timmerdanny
                    last edited by

                    @KOM:

                    VIP is more like ARP spoofing.  Your interface announces that it is several different IP addresses.  Typically you would use a VIP in conjunction with a port forward to allow external users to access internal resources via different IP addresses.  I do this here.  I have only one WAN and a /28 block.  I use virtual IPs to give a unique IP address to my mail server, web server, FTP server, demo systems, DNS, etc etc.

                    Hi Thanks for your reply. I unsterstand that process, isn't it possible to just route so I can configure the external address on my server? (so pfsense is acting like a switch for that interface?)

                    1 Reply Last reply Reply Quote 0
                    • T
                      timmerdanny
                      last edited by

                      Okay Found it! I have created a interface bridge between WAN & LAN. I have configured an external ip on my machine and it is working :D

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.