Passing ISP IP through a pfSense FW to another firewall



  • I'd like to extend a group of public address from my ISP to a firewall located behind my pfSense firewall, see drawing attached. Can this be done? if so, how do I configure my pfSense firewall.

    ![Providing ISP Services.jpg_thumb](/public/imported_attachments/1/Providing ISP Services.jpg_thumb)
    ![Providing ISP Services.jpg](/public/imported_attachments/1/Providing ISP Services.jpg)



  • The OPT interface must not be in the same subnet as the WAN. So your secand pfSense also must belong to another subnet.



  • Can you mark up my drawing as a sample of how it should be configured? Also note how I would configure the interfaces?

    ![Providing ISP Services.jpg](/public/imported_attachments/1/Providing ISP Services.jpg)
    ![Providing ISP Services.jpg_thumb](/public/imported_attachments/1/Providing ISP Services.jpg_thumb)



  • Okay, I assume the numbers in the colored fields are vLANs. So this way it could work, you just need to bridge WAN and OPT1 and assign the WAN address to this bridge.
    https://doc.pfsense.org/index.php/Interface_Bridges



  • I will check it out. Thanks for taking the time to help me out.



  • With the ISP router which is doing NAT (1) and the pfSense is doing also NAT (2) and on top the
    other firewall is doing also NAT (3) you were creating a triple NAT situation and related to this this
    your problems exists. You have two choices to get rid of this issue.

    • Set the ISP router to the so called "bridge mode" that the router is only acting as a pure modem
      if this able to realize, it would be the fastest and most stable way. Or buy a plain and pure modem.
      Cons: no
      Pros: You have then only created a double NAT situation with which you can live.

    • Or you should bridge the LAN port from the ISP router to the WAN port from the pfSense firewall
      as suggest from @viragomann, that pfSense is acting as a fully transparent firewall then.
      Cons: Port flapping, packet loss or packet drops
      Pros: fully transparent firewall which is invisible


Log in to reply