Netgate SG-1000 microFirewall

Author Topic: WAN /26 into 2x DMZ /27 and multiple LANs using vlan.  (Read 180 times)

0 Members and 1 Guest are viewing this topic.

Offline desrux

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
WAN /26 into 2x DMZ /27 and multiple LANs using vlan.
« on: January 12, 2018, 05:50:58 pm »
Trying to setup a 3/4 legged firewall, WAN, LAN, N1, N2 on a XG-1537

We have a x.x.x.128 /26 network from the ISP that we want to split into two sub networks:

N1: x.x.x.128/27 (129-158) 30 addresses, gw: x.x.x.129, bc: x.x.x.159
N2: x.x.x.160/27 (161-190) 30 addressers, gw: x.x.x.161, bc: x.x.x.191

N1 should be routed but without firewall
N2 should be routed and behind firewall

LAN will use NAT and segmented into multiple vlans each with own subnets all behind firewall.

On the XG-1537
N1 is on interface ix1
N2 is on interface ix0
WAN is on interface igb1 (SFP+)
LAN is on interface igb0 (SFP+)

Does pfsense need to have an ip address on both N1 and WAN?
Should N1 and WAN be bridged?
WAN should have an address from N1, but what subnet mask /26 or /27 ?
What is needed from the ISP? Certain config or otherwise?

x.x.x.129 is ISP Gateway.

Any help or experience with similar setups is much appreciated, thanks.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9559
  • Karma: +1081/-309
    • View Profile
Re: WAN /26 into 2x DMZ /27 and multiple LANs using vlan.
« Reply #1 on: January 12, 2018, 07:10:18 pm »
They need to give you a small interface network, like a /29 or /30, and route the /26 to you on that.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2495
  • Karma: +150/-16
  • volunteer since 2006
    • View Profile
Re: WAN /26 into 2x DMZ /27 and multiple LANs using vlan.
« Reply #2 on: January 12, 2018, 07:32:25 pm »
...usually referred to as transit network.
Otherwise you cannot route.
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline desrux

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: WAN /26 into 2x DMZ /27 and multiple LANs using vlan.
« Reply #3 on: January 13, 2018, 04:27:19 am »
They need to give you a small interface network, like a /29 or /30, and route the /26 to you on that.

Thanks for the quick reply!

Is there a way to do it without any ISP changes? Proxy arp?

I am thinking that the fw has an external IP on the WAN interface ex. x.x.x.141/26 or x.x.x.141/27 from N1 address range.

Then on the N2 interface it has an IP from the N2 address range e.g. x.x.x.161/27 and Proxy ARP enabled?

The N1 (.128/27) range has x.x.x.129 as gateway same as the complete block (0.128/26) - so any server setup directly on the WAN with an ip between .130-158 /27 side should work without any ISP setup right?
The only reason for having a N1 interface for the N1 range is that the external network comes in directly to the SFP+ port on the firewall - I do not have a switch with SPF+ before the firewall - so I was thinking to bridge the N1 interface to the WAN interface.


Does this make sense?


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9559
  • Karma: +1081/-309
    • View Profile
Re: WAN /26 into 2x DMZ /27 and multiple LANs using vlan.
« Reply #4 on: January 13, 2018, 02:30:14 pm »
Why are people so hesitant to ask their ISP for a properly-configured network being content instead with hacks and fudged workarounds?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline desrux

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: WAN /26 into 2x DMZ /27 and multiple LANs using vlan.
« Reply #5 on: January 13, 2018, 05:11:31 pm »
Why are people so hesitant to ask their ISP for a properly-configured network being content instead with hacks and fudged workarounds?

That I do not know. But I would like to know how to setup pfsense for my use case. Thanks.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9559
  • Karma: +1081/-309
    • View Profile
Re: WAN /26 into 2x DMZ /27 and multiple LANs using vlan.
« Reply #6 on: January 13, 2018, 05:26:11 pm »
It is a complete hack to do what you are trying to do with a /26 on WAN.

I told you what you need to do. Get your ISP to configure your circuit with a properly-routed subnet.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline desrux

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: WAN /26 into 2x DMZ /27 and multiple LANs using vlan.
« Reply #7 on: Yesterday at 04:49:55 am »
They need to give you a small interface network, like a /29 or /30, and route the /26 to you on that.

So I can get my ISP to make a /29 'transit network / link net'. So I guess I declare to the ISP which ip within my /26 that acts as the gateway/router for the /26? And then that gateway/router is assigned the ISP gateway of the /29 correct?

This gateway/router is in this case the pfsense firewall. But in practical terms how do I split/use my /26 so I get a firewalled DMZ with public ips and a non-firewalled DMZ with public ips using pfsense?

I have 4 interface on the pfsense firewall. Ideally I would use 1 for WAN, 1 for LAN, 1 for firewalled DMZ and 1 for non-firewalled DMZ. (Potentially also using vlans to isolate public ips from each other on the DMZs).

Best regards


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9559
  • Karma: +1081/-309
    • View Profile
Re: WAN /26 into 2x DMZ /27 and multiple LANs using vlan.
« Reply #8 on: Yesterday at 11:13:02 am »
Actually you (or your ISP) declare which IP address on the /29 the /26 is routed to.

Once you have the /26 routed to you you can do whatever you want with the addresses.

Just split it into two /27s and use those as the interface addresses for the DMZ networks and disable NAT for them.

Example (in Cisco-ish Speak):

Their Side:

# Interface (transit) network:
interface ethernet 0/0
  ip address 198.51.100.1 255.255.255.248

# Routed /26 Subnet:
ip route 192.0.2.0 255.255.255.192 198.51.100.2



Your side:

# Interface (transit) network:
interface WAN
  ip address 198.51.100.2 255.255.255.248

# DMZ Networks
# /27
interface DMZ
  ip address 192.0.2.1 255.255.255.224

# /27
interface DMZ1
  ip address 192.0.2.33 255.255.255.224

ip route 0.0.0.0 0.0.0.0 198.51.100.1

Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM