Home » Blogs » Dave's blog

pfSense and Routed Subnets

I have a few clients running IPCop firewall appliance boxes, but for more complex setups (such as multiple WAN connections) I use pfSense. pfSense is a FreeBSD based firewall appliance. pfSense comes in 2 flavours, one of which is designed to run on low spec embedded hardware, such as that sold by Yawarra Information Appliances. I know that I could just use a bash scripts or Shorewallbut not all my clients are command line ninjas, and I have better things to do with my time.

Until recently in Austalia, "residential grade" ADSL connections used PPPoA/PPPoE (aka Layer 3), while "business grade" services were almost exclusively RFC 1483 bridged connections (aka Layer 2). Earlier this year, Telstra Wholesale have stopped offering Layer 2 connections, and are they are now in the process of migrating all resellers' customers to Layer 3 services. For customers with a single usable static IP address this is unlikely to mean any real change. For customers with larger IP allocations (say /29s or larger) they will switch from an IP block being available from the modem to PPPoE with additional IPs being available via a routed subnet.

After some discussion and playing, I found out there are 2 ways to get a routed subnet working with a pfSense box.

Option A - Firewall handles PPPoE and subnet used on DMZ

This is the solution I went for recently for a new connection setup for a client.

  • Configure ADSL modem/router to run in fully bridged mode
  • Configure pfSense's WAN interface to use PPPoE and fill in the appropriate information.
  • Configure the DMZ to use the routed subnet
  • Assign the first usable IP address to the DMZ interface (usually OPT1) on the pfSense box
  • Allocate the remaining IPs to the boxes in the DMZ
  • Setup your rules appropriately

Option B - Modem handles the PPPoE and subnet used on WAN

This method seems to make more sense for people moving from Layer 2 to Layer 3 connections. Please be aware that I haven't tested this, but I am told it should work.

  • Configure ADSL modem/router to work as router connecting via PPPoE
  • Configure the Ethernet port on the modem/router to use the first usable IP address from the routed subnet range
  • Configure pfSense's WAN interface to use a "static" connection and fill in the appropriate information, with the second usable IP address being assigned to the interface.
  • Assign any left over IP addresses as "Proxy ARP" addresses under Virtual IPs
  • Setup your rules and NATing appropriately

I hope someone find this useful.

Written by Dave on 26 Jul 2007

persistant connections

Anonymous wrote:

how do you ensure persistant conections for banking, ftp, ect. in pfsense with multi wan setup?

thanks in advance.
netraderbob@gmail.com

Added Wed, 2007-09-26 21:14

Routing

Dave wrote:

When I use pfSense with a multi WAN config I have 2 distinct networks - WAN and a private IP network.

For load balancing, you can setup rules to ensure that the traffic goes where you want it to go. I don't have a lot of experience using such setups.

Added Tue, 2007-10-02 22:59

Hi There, I have an ISP that

Jonny wrote:

Hi There,
I have an ISP that can give me 8 static IP addresses.

If I use pfSense, can I use PPPoE to gain the first public IP address, then use NAT to forward the other IPs to certain servers?

I don't wish to assign my internal servers/clients public IPs.
How would i go about this?

Many Thanks for your help!

Added Tue, 2008-04-22 05:44

RE: Hi There, I have an ISP that

Dave wrote:

I am in a hotel room without access my pfSense box, but IIRC you assign it as a Virtual IP address.

Added Tue, 2008-04-22 05:53

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options