Re: [pfSense] Setup Question - Routing
Thanks Chris and Walter, I thought about both ways you guys mentioned, I didn't know if the method Walter suggested would work and I don't have a test lab to set a test environment up in, at least not any longer. :-) I am going to suggest him seeing if he can get a /29 for routing from his provider, even a private range just for routing between pfSense and their routers, and then break out the /24 on the LAN and OPT networks. Thanks guys. Joe -- Original Message -- From: "Chris L" To: "pfSense Support and Discussion Mailing List" Sent: 3/24/2015 9:01:35 PM Subject: Re: [pfSense] Setup Question - Routing On Mar 24, 2015, at 5:46 PM, Walter Parker wrote: Using a chart like http://www.engineeringradio.us/blog/wp-content/uploads/2013/01/Subnet_Chart.pdf you can see the different /28 and /29 subnets that exist on a /24 network. You would bind the .248/29 network to the WAN interface (use a /29 to leave a few extra addresses). If the provider side of the interface is set for /24 and his WAN is set for /29 expect hilarious shenanigans to ensue. Then you would bind an reserved network (10.X, 192,168,X 172.16,X) to the LAN interface. Then on your third interface, you would bind multiple networks, .240/29, .232/29, .224/29, etc to the OPT1/DMZ interface. What you say? Then each customer would use put there equipment directly on that that network. If the customers have routers themselves, you might want to setup a bunch of /30 networks (.252/30, .248/30, .244/30, .236/30, .232/30) for your and the customer's WAN interfaces. Then start down from .224 and assign /29 networks for the customer's DMZ/OPT1 interfaces. Unless the customer is running without NAT, then the addresses could be put on the customer's LAN interfaces. The big trick here is make sure than none of your networks have overlapping IP address ranges. The chart above is very helpful for tracking different sizes. This means that you can't put .254 on one interface and .249/29 on a different interface as those networks overlap. Walter He needs a routed subnet or has to use VIPs on WAN and 1:1 NAT. Or some convoluted bridging thing that I shouldn’t even mention because it’s no solution at all. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Setup Question - Routing
On Mar 24, 2015, at 5:46 PM, Walter Parker wrote: > > Using a chart like > http://www.engineeringradio.us/blog/wp-content/uploads/2013/01/Subnet_Chart.pdf > you can see the different /28 and /29 subnets that exist on a /24 network. > > You would bind the .248/29 network to the WAN interface (use a /29 to leave a > few extra addresses). If the provider side of the interface is set for /24 and his WAN is set for /29 expect hilarious shenanigans to ensue. > > Then you would bind an reserved network (10.X, 192,168,X 172.16,X) to the LAN > interface. > > Then on your third interface, you would bind multiple networks, .240/29, > .232/29, .224/29, etc to the OPT1/DMZ interface. What you say? > Then each customer would use put there equipment directly on that that > network. If the customers have routers themselves, you might want to setup a > bunch of /30 networks (.252/30, .248/30, .244/30, .236/30, .232/30) for your > and the customer's WAN interfaces. Then start down from .224 and assign /29 > networks for the customer's DMZ/OPT1 interfaces. Unless the customer is > running without NAT, then the addresses could be put on the customer's LAN > interfaces. > > The big trick here is make sure than none of your networks have overlapping > IP address ranges. The chart above is very helpful for tracking different > sizes. This means that you can't put .254 on one interface and .249/29 on a > different interface as those networks overlap. > > > Walter He needs a routed subnet or has to use VIPs on WAN and 1:1 NAT. Or some convoluted bridging thing that I shouldn’t even mention because it’s no solution at all. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Setup Question - Routing
Using a chart like http://www.engineeringradio.us/blog/wp-content/uploads/2013/01/Subnet_Chart.pdf you can see the different /28 and /29 subnets that exist on a /24 network. You would bind the .248/29 network to the WAN interface (use a /29 to leave a few extra addresses). Then you would bind an reserved network (10.X, 192,168,X 172.16,X) to the LAN interface. Then on your third interface, you would bind multiple networks, .240/29, .232/29, .224/29, etc to the OPT1/DMZ interface. Then each customer would use put there equipment directly on that that network. If the customers have routers themselves, you might want to setup a bunch of /30 networks (.252/30, .248/30, .244/30, .236/30, .232/30) for your and the customer's WAN interfaces. Then start down from .224 and assign /29 networks for the customer's DMZ/OPT1 interfaces. Unless the customer is running without NAT, then the addresses could be put on the customer's LAN interfaces. The big trick here is make sure than none of your networks have overlapping IP address ranges. The chart above is very helpful for tracking different sizes. This means that you can't put .254 on one interface and .249/29 on a different interface as those networks overlap. Walter On Tue, Mar 24, 2015 at 5:24 PM, Chris L wrote: > > > On Mar 24, 2015, at 5:12 PM, Joseph H wrote: > > > > I have a buddy and he wants to use pfSense as his firewall to protect > his devices and also provide a gateway for customers. And he has asked me > if I know of a good way to set this up, so I decided to ask the list > > > > He has gotten a /24 subnet, he wants to use a small section of it for > his web site and stuff, and then split off subnets to several customers. > For instance, he was given a gateway of x.x.x.254 by his provider, he will > use the x.x.x.249/29 for his own use, then wants to pass subnets through to > his customers in say several /28's or /29's. > > > > Does anyone know of an easy way to set this up? He has a server with 3 > interfaces to use for this. > > > > To make this a LOT easier (or even possible at all without 1:1 NAT) he > should ask the provider for a /29 or /30 for his WAN interface with the /24 > routed to an IP address on that. > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Setup Question - Routing
> On Mar 24, 2015, at 5:12 PM, Joseph H wrote: > > I have a buddy and he wants to use pfSense as his firewall to protect his > devices and also provide a gateway for customers. And he has asked me if I > know of a good way to set this up, so I decided to ask the list > > He has gotten a /24 subnet, he wants to use a small section of it for his web > site and stuff, and then split off subnets to several customers. For > instance, he was given a gateway of x.x.x.254 by his provider, he will use > the x.x.x.249/29 for his own use, then wants to pass subnets through to his > customers in say several /28's or /29's. > > Does anyone know of an easy way to set this up? He has a server with 3 > interfaces to use for this. > To make this a LOT easier (or even possible at all without 1:1 NAT) he should ask the provider for a /29 or /30 for his WAN interface with the /24 routed to an IP address on that. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Setup Question - Routing
I have a buddy and he wants to use pfSense as his firewall to protect his devices and also provide a gateway for customers. And he has asked me if I know of a good way to set this up, so I decided to ask the list He has gotten a /24 subnet, he wants to use a small section of it for his web site and stuff, and then split off subnets to several customers. For instance, he was given a gateway of x.x.x.254 by his provider, he will use the x.x.x.249/29 for his own use, then wants to pass subnets through to his customers in say several /28's or /29's. Does anyone know of an easy way to set this up? He has a server with 3 interfaces to use for this. Thanks Joe ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
