Route Public IPs AND Provide NATed internal



  • Hi all. I'm hoping someone can give me some advise on this setup:

    My ISP has given me a subnet of public ips and then a public IP in a different subnet on their network. Obviously I need to get pfsense to route the traffic for the public ips in their own subnet to and from the ISP.

    This is what it looks like using private ips:

    ISP Gateway: 192.168.1.1
    ISP Assigned Address: 192.168.1.2
    ISP Assigned Subnet: 192.168.2.32/28

    So if these were public IPs I need 192.168.2.33 to be accessible from 192.168.1.x and everything else on the internet. (I want this to be firewalled however so that I can lock down the ports that will go through)

    And then I also need to create a NATed address range for the rest of the computers. (sort of a DMZ setup that I'm doing)

    I'd like to only use 2 physical cards if possible: WAN and LAN with the LAN having the two subnets (VLANS?)

    So I'm looking at routing and it appears to only go outbound which confused me.

    Any suggestions on how to set this up correctly?

    Thanks!



  • The ISP is going to send you packets for "192.168.2.32/28" so you do not have to do anything really special.

    Yes, use VLANs to get 2 LANs on a single NIC, e.g.

    VLAN10 - LANprivate - some private IP subnet

    VLAN20 - LANpublic - the "192.168.2.32/28" (which are really public IPs - I understand that)

    a) Add pass rules on WAN to allow traffic from source wherever (maybe any) to destination/s in LANpublicnet as you need/wish. To get started you can just pass source any destination LANpublicnet - but that might be a bit wide open for your final requirements.

    b) Switch from Automatic Outbound NAT to Manual. Just have outbound NAT rules for LANprivate.
    LANpublic will route happily without help.

    c) Add rules on LANpublic:
    i) rule/s allowing whatever access you want it to have to LANprivate
    ii) a rule blocking any other access to LANprivate
    iii) rule/s allowing traffic out from LANpublic to the public internet as needed

    I think that is all. What have I forgotten?



  • Thank you! That helps a ton!



  • Everything Phil wrote is perfectly fine.

    Just a remark about "documenting" public IP addresses: IETF and IANA have assigned some IP address blocks specifically for documentation etc.
    Those can be used to describe a problem here without using private address space and remark that it's in fact not private.

    | 192.0.2.0/24 | documentation | Assigned as "TEST-NET" in RFC 5737 for use solely in documentation and example source code and should not be used publicly. |
    | 198.51.100.0/24 | documentation | Assigned as "TEST-NET-2" |
    | 203.0.113.0/24 | documentation | Assigned as "TEST-NET-3" |

    I would just use 198.51.100.0/28 in your case and ignore that it overlaps 198.51.101.0 onwards with someone else.
    This isn't easily mixed up (optically) with other private address space.



  • @phil.davis:

    b) Switch from Automatic Outbound NAT to Manual. Just have outbound NAT rules for LANprivate.
    LANpublic will route happily without help.

    c) Add rules on LANpublic:
    i) rule/s allowing whatever access you want it to have to LANprivate
    ii) a rule blocking any other access to LANprivate
    iii) rule/s allowing traffic out from LANpublic to the public internet as needed

    I think that is all. What have I forgotten?

    Adding the forwarded routable IP addresses as VIP on WAN so that they can be used for 1:1 NAT or Advanced Outbound NAT. Unless he wants to use the entire subnet on a VLAN interface.



  • Thanks! This helps a ton!