Netgate SG-1000 microFirewall

Author Topic: New pfSense Installation Questions  (Read 2649 times)

0 Members and 1 Guest are viewing this topic.

Offline bairdmj

  • Newbie
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
New pfSense Installation Questions
« on: August 09, 2006, 12:05:09 pm »
I am in the process of planning a new firewall infastructure using pfSense (we are currently use an AirLok appliance) and have a few questions regarding my setup.  Attached is an image of the proposed network diagram.  I am currently running RC2 on both pfSense boxes.

- Dumb Switch 1 - will be feeding the WAN connections of the master and slave pfsense servers.
   For my DMZ, I will be using a VLAN off of the this switch.  The servers within my "DMZ" will have fully routable external IPS provided by the 2800.

- The pfSense boxes have 3 interfaces - 1 WAN (12.169.255.x/24), 1 LAN (172.20.1.1/8), 1 OPT (SYNC/172.20.2.1/24).

- The pfSense LAN interfaces are connected to the 2nd dumb switch.  From here, our backhauls will be connected to this switch (we are a WISP).  Each backhaul contains up to 100 clients. 

- The pfSense boxes will be handing out internal IPS (DHCPD on the LAN interface) currently in the range of 172.20.15.2 to 172.20.16.200.

- In my advanced outbound routing, I have broken the 172.20.15.2 and 16.2 subnets down into /26's so every 61 addresses will be NAT'd behind a separate external IP.  This currently works great.  I have also assigned each external IP a virtual IP (CARP) (12.169.255.x/24).  If possible, I would like for each of these /26's not to be able to communicate with each other (for security), which currently is not working.

- The pfsense boxes will not be doing any traffic shaping.  Traffic shaping will be provided by a NetEq appliance that will sit in between the 2800 and the first switch.

- Every client on the LAN side must be able to access the Internet via the WAN interface.

My questions are:

1.  Is my basic network setup correct?  Am I doing this the most efficient way?
2.  Is there a better way to setup a DMZ?
3.  How can I provide my clients (which are connected thru a backhaul to the second switch on the 172.20.15.0/24 subnet) a REAL (not 1:1) public IP provided by the Cisco 2800?  Can I simply route a real IP thru the pfSense cluster?  The 2800 currently routes 12.169.255.0/24. 
4.  It seems that when I add a static DHCP mapping (to 172.20.14.0/24), the client can not access anything.  Do I need to create a firewall rule/virtual IP for the IP that the client is mapped to?

I really appreciate any input that you might be able to give.  Thanks!