Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route Public IPs AND Provide NATed internal

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      JohnGalt1717
      last edited by

      Hi all. I'm hoping someone can give me some advise on this setup:

      My ISP has given me a subnet of public ips and then a public IP in a different subnet on their network. Obviously I need to get pfsense to route the traffic for the public ips in their own subnet to and from the ISP.

      This is what it looks like using private ips:

      ISP Gateway: 192.168.1.1
      ISP Assigned Address: 192.168.1.2
      ISP Assigned Subnet: 192.168.2.32/28

      So if these were public IPs I need 192.168.2.33 to be accessible from 192.168.1.x and everything else on the internet. (I want this to be firewalled however so that I can lock down the ports that will go through)

      And then I also need to create a NATed address range for the rest of the computers. (sort of a DMZ setup that I'm doing)

      I'd like to only use 2 physical cards if possible: WAN and LAN with the LAN having the two subnets (VLANS?)

      So I'm looking at routing and it appears to only go outbound which confused me.

      Any suggestions on how to set this up correctly?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        The ISP is going to send you packets for "192.168.2.32/28" so you do not have to do anything really special.

        Yes, use VLANs to get 2 LANs on a single NIC, e.g.

        VLAN10 - LANprivate - some private IP subnet

        VLAN20 - LANpublic - the "192.168.2.32/28" (which are really public IPs - I understand that)

        a) Add pass rules on WAN to allow traffic from source wherever (maybe any) to destination/s in LANpublicnet as you need/wish. To get started you can just pass source any destination LANpublicnet - but that might be a bit wide open for your final requirements.

        b) Switch from Automatic Outbound NAT to Manual. Just have outbound NAT rules for LANprivate.
        LANpublic will route happily without help.

        c) Add rules on LANpublic:
        i) rule/s allowing whatever access you want it to have to LANprivate
        ii) a rule blocking any other access to LANprivate
        iii) rule/s allowing traffic out from LANpublic to the public internet as needed

        I think that is all. What have I forgotten?

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • J Offline
          JohnGalt1717
          last edited by

          Thank you! That helps a ton!

          1 Reply Last reply Reply Quote 0
          • jahonixJ Offline
            jahonix
            last edited by

            Everything Phil wrote is perfectly fine.

            Just a remark about "documenting" public IP addresses: IETF and IANA have assigned some IP address blocks specifically for documentation etc.
            Those can be used to describe a problem here without using private address space and remark that it's in fact not private.

            | 192.0.2.0/24 | documentation | Assigned as "TEST-NET" in RFC 5737 for use solely in documentation and example source code and should not be used publicly. |
            | 198.51.100.0/24 | documentation | Assigned as "TEST-NET-2" |
            | 203.0.113.0/24 | documentation | Assigned as "TEST-NET-3" |

            I would just use 198.51.100.0/28 in your case and ignore that it overlaps 198.51.101.0 onwards with someone else.
            This isn't easily mixed up (optically) with other private address space.

            1 Reply Last reply Reply Quote 0
            • D Offline
              dreamslacker
              last edited by

              @phil.davis:

              b) Switch from Automatic Outbound NAT to Manual. Just have outbound NAT rules for LANprivate.
              LANpublic will route happily without help.

              c) Add rules on LANpublic:
              i) rule/s allowing whatever access you want it to have to LANprivate
              ii) a rule blocking any other access to LANprivate
              iii) rule/s allowing traffic out from LANpublic to the public internet as needed

              I think that is all. What have I forgotten?

              Adding the forwarded routable IP addresses as VIP on WAN so that they can be used for 1:1 NAT or Advanced Outbound NAT. Unless he wants to use the entire subnet on a VLAN interface.

              1 Reply Last reply Reply Quote 0
              • J Offline
                JohnGalt1717
                last edited by

                Thanks! This helps a ton!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.