Multi IP wan / Bridge to different interface.



  • Hello,
    I have an embedded pfsense running 2.2.6.
    I wish to run a service on RHEL which requires a license and insists on a public ip or registration will fail. Im not overly enamoured by having it internet facing, but I'll trial it and see how it goes.
    it is for the above reason I don't believe the standard 1:1 NAT is going to work.

    I have got an a /30 from my ISP which equates to 4 ips, with 2 being usable + gw and broadcast.

    Here is what I've done.

    _________________                                      ____________                      _______      _____________
    |  60.240.xxx.xxx.3  |WAN PPPOE re0|pfSense          |re1|Switch  ||192.168.0.1/24|
    |
    |                        |            ||                  ||    |
    ____ |
                                                            |                  |                 
    additional IPs_                              |                  |                                        ______________
    |14.xxx.xxx.24  |_____________|                  |14.xxx.xxx.25(re2)| 14.xxx.xxx.26  |
    | /30
    |                                                                                            |_____________|

    I've been reading a ton of forum posts and they all seem to want to use NAT 1:1 and IP Alias's of some sort, because I'm effectively using a transparent bridge for re2, I think it means that i don't need all that. But im curious to know if im on the right track.
    In order to achieve the above, I have done the following:

    1/ Create a new interface assigned to DMZ(re2) and assign the 14.xxx.xxx.25  (Upstream GW = no) (untick "Block Private Networks")

    2/ Create a bridge between WAN(re0) and DMZ(re2) interfaces.

    3/ Write a WAN rule with a destination of 14.xxx.xxx.24/30 (All Ports)

    4/ Write a DMZ rule with a destination,Port, Gateway of *

    Is it this simple?
    Have I created any risks to the LAN by doing this? - it all seems to be working, just not sure its best practice.
    Also it seems I've sacrificed an IP for the interface - is there another way of doing it?

    Regards

    Cam


Log in to reply