Blog

pfSense and Routed Subnets

I have a few clients running IPCop firewall appliance boxes, but for more complex setups (such as multiple WAN connections) I use pfSense. pfSense is a FreeBSD based firewall appliance. pfSense comes in 2 flavours, one of which is designed to run on low spec embedded hardware, such as that used to be sold by Yawarra Information Appliances. I know that I could just use a bash scripts or Shorewall but not all my clients are command line ninjas, and I have better things to do with my time.

Until recently in Austalia, “residential grade” ADSL connections used PPPoA/PPPoE (aka Layer 3), while “business grade” services were almost exclusively RFC 1483 bridged connections (aka Layer 2). Earlier this year, Telstra Wholesale have stopped offering Layer 2 connections, and are they are now in the process of migrating all resellers' customers to Layer 3 services. For customers with a single usable static IP address this is unlikely to mean any real change. For customers with larger IP allocations (say /29s or larger) they will switch from an IP block being available from the modem to PPPoE with additional IPs being available via a routed subnet.

After some discussion and playing, I found out there are 2 ways to get a routed subnet working with a pfSense box.

Option A - Firewall handles PPPoE and subnet used on DMZ

This is the solution I went for recently for a new connection setup for a client.

  • Configure ADSL modem/router to run in fully bridged mode
  • Configure pfSense’s WAN interface to use PPPoE and fill in the appropriate information.
  • Configure the DMZ to use the routed subnet
  • Assign the first usable IP address to the DMZ interface (usually OPT1) on the pfSense box
  • Allocate the remaining IPs to the boxes in the DMZ
  • Setup your rules appropriately

Option B - Modem handles the PPPoE and subnet used on WAN

This method seems to make more sense for people moving from Layer 2 to Layer 3 connections. Please be aware that I haven’t tested this, but I am told it should work.

  • Configure ADSL modem/router to work as router connecting via PPPoE
  • Configure the Ethernet port on the modem/router to use the first usable IP address from the routed subnet range
  • Configure pfSense’s WAN interface to use a “static” connection and fill in the appropriate information, with the second usable IP address being assigned to the interface.
  • Assign any left over IP addresses as “Proxy ARP” addresses under Virtual IPs
  • Setup your rules and NATing appropriately

I hope someone find this useful.

Tags

Share this post