Multiple subnets on same physical nic
-
Hi guys,
Looking to move from an end of life microsoft TMG to pfsense firewall.
Today i have 3 subnets from my ISP (cisco router)
87.x.x.x /29
80.x.x.x /28
188.x.x.x /28The 87.x.x.x /29 is routed by my ISP and im using one of those ip's for the WAN interface on my TMG. All my internal clients are NAT'ed behind this one ip.
80.x.x.x 28 and 188.x.x.x /28 is also provided by my ISP but routed by myself in my TMG. I have these 2 subnets on the same nic which im using as a DMZ. Bridged but still protected by the TMG firewall.
My TMG has 3 nics. WAN, LAN DMZ.
The DMZ i used to host different web and application servers presented to the internet.
How would i go about creating this setup on PFsense. Can i make it with just 3 nics like on my TMG or do the 2 /28 networks have to be on 2 different physical nics (i hope not)?
I would really appreciate i someone could explain to me how to set this up on PFsense :)
Regards
Jacob -
drawing would really help.. You say the 87.x.x.x /29 is routed, via what transit network?
So you saying 80.x.x.x 28 and 188.x.x.x /28 are also routed, to this 87 network? How would the tmg route those if not?
A drawing of your current setup, would make it clear and then could look how to allow these networks to work in a new setup.
-
Hi John,
Thank you so much for you reply.
The 87.x.x.x /29 addresses are readily availble on the Cisco router provided by my ISP
The 80.x.x.x and the 188.x.x.x subnet are routed through the one ip on the 87.x.x.x network that im using on the WAN interface on the TMG.
Does that make sense? I will try to provide a drawing but i cannot do that until next week.
regards
Jacob -
you have no napkins or crayons available? ;)
gliffy is freeonline tool you can use to draw up a diagram.
So your saying the 87 is your transit, and 80 and 188 are routed to that.. But you stated that the 87 was routed and where using that behind on your tmg.. So you have a bridge/layer 2 from this 87 to your tmg interface.. Or tmg has actual interface connected to this transit network?
Drawing leave less open to interpretation..
-
Haha. I promise I will provide a drawing at some point
yes. 87.x.x.90 is my transit and the 80 and 188 networks are routet to that. I then tell the TMG that the 80 and 188 are bridged and then im using the public ips from those two subnets on my DMZ
Maybe i did not explain it right but the 87 /29 subnet is available on the Cisco router from my ISP.
Regards
Jacob -
Well if the 87 is your transit, you can put any routed networks via that transit on interfaces behind pfsense. You can then firewall them from the public internet or any other networks on pfsense, etc..
That is a pretty common setup.. Nice to see you actually have a transit and routed networks.. What most questions are if how too use a isp segment that pfsense is part of and using some of those IPs on the wan as well as on a segment behind.. Which is not really possible.
But a routed network is how it should be setup and very easy to do..
-
Perfect!
Im pretty new to PFsense. Assigning IPs to the WAN and the LAN interface is easy, but where do i setup the 2 routed subnets? I bought an official SG-2440 and have OPT1 and OPT2 available. I guess I will be using OPT1 as my DMZ. I feel that i know the TMG pretty well and understand how its setup but this is an entire new world to me :)
I really appreciate your help!
Regards
Jacob -
you set it up just like you would any rfc1918 segment on an interface..
Just so we are clear on you have an actual routed network via a transit network.
So you have 87.x.x.90/29 on your wan interface of pfsense.. with gateway being 87.x.x.89… When someone wants to go to say 80.x.x.2 they would end up at 87.x.x.90 as a hop to get to that network... Pfsense would see that traffic is trying to go to 80.x.x.2 and say oh yeah I have that on my opt1 interface via my IP of 80.x.x.1 so I will send that traffic out that interface.
Really the only difference is you wouldn't be natting that to your wan IP like you do when the network is a rfc1918 address accessed via your public IP on the wan. So you assign 80.x.x1/28 on your opt1 there you go... And make sure your not natting it.
-
Perfect. That makes sense, but how about my 188 subnet? Can I put that on opt1 also or do I have to use opt2 for that? It's seem you can only put one up address per interface.
Regards
Jacob -
do you have switch that supports vlans? You could put them all on the lan interface… If you don't have a switch that supports vlans then yes you would need to put then on a physical interface.
-
I do have support for Vlans. I already use a Vlan to get from the DMZ nic on my TMG to my Hyper-v cluster.
How would i go about using Vlans on the LAN interface? That would have to hold both 192.x.x.x and 80.x.x.x and 188.x.x.x then? And what would you recommend in my scenario. A physical nic per subnet or multiple VLANs (subnets) on one physical interface (LAN).
Regards
Jacob -
Well depends on traffic speed to be honest.. When vlans are all on the same physical interface.. vlan to vlan traffic is hairpinned.. Your going in and out the same interface so if its 100mbps connection you now can move 50 between devices on different vlans, not 100, if gig same thing.. The more vlans you put on an interface the more sharing the speed of that interface if there is intervlan traffic.
If your talking to and from the wan, and your wan is only 100 say, and your lan interface is gig prob not going to matter much..
If you have the physical interfaces, I would just use the physical.. As to creating the vlan.. Just create it and assign it to the physical nic you want to use..
-
Thank you so much John. I will play around with it and update this thread (probably looking for more help) with my finding.
Regards
Jacob
