Re: [pfSense] Public x.x.x.x/29 on WAN side and Public x.x.x.x/27 on LAN side

Wed, 29 May 2013 14:33:45 -0700 

On 5/29/2013 5:23 PM, Adam Thompson wrote:
Obviously I was in a bad mood when reading your first email... sorry about that. 


I am hoping to do the routing and firewalling with the same pfSense
boxes due to budget constraints.  A pair of (insert favorite brand
here)  routers with failover would definitely be out of budget for
this project, at least for now.


As I said, every firewall is a router, so that's not a problem.


If I I simply add rules on the WAN interface tab to allow traffic to
the /27 addresses will this work?  This way I do not have to turn on
the "Disable all packet filtering" check box as that would defeate the
purpose.  I suppose I could turn it on temporarily for testing then
turn it off and add the rules?



As long as you keep NAT firmly *out* of your head as you set this up, 
you'll probably get it right (or close enough) on the first try.
Turning on that checkbox is the acid test - turn it on for a few 
minutes, and if everything still functions, you've got the routing right.
Also, your Asterisk servers should be secure enough to live on the 
internet by themselves for a few minutes... if not, you'll likely be 
attacked through some other vector (internal clueless users installing 
trojans, often).



Will I need to tell the /27 LAN interface LAN that the /29 WAN
interface is its default gateway or will it know that from being
directly connected?



If you set up DHCP on the LAN, it should happen automatically. 
Otherwise, yes, you need to tell the internal devices how to reach the 
internet.


-Adam

Adam

No worries at all, your email was good information and I thank you for 
that.  When I was talking about assigning a default gateway I was more 
referring to the  interface on the pfSense.  I am assuming that I will 
not have to but you know what happens when we "assume". I will set it up 
with out and if it does not work I will add it in to test.  I will be 
using DHCP for the internal devices so ya, that should be all good.

Thanks again,
JohnM

_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list






















					Reply via email to