pfsense behind another pfsense

[Patrick]

Hey all,

Trying to set something up this weekend to start getting stuff ready for the next iteration of the STH colo. I am trying to have the following setup:

WAN /31 with ISP

pfsense #1 (WAN IP in the /31) - this box handles routing for the /27 public IP address block I have and all of the internal DHCP/ private IP address space and NAT'ing to the /27.

Now what I am trying to do is have a second pfsense box (say pfsense #2) have an address from the /27 so I can access it directly. Then I want to start building out a network behind the pfsense #2 box that I will transfer in two weeks to the new colo facility. Everything behind pfsense#2 can be on an internal IP address range and no LAN/ OPT ports on pfsense #2 will have any network connection to pfsense #1. The only exception is the pfsense #2's WAN port which can be added to an OPT port on pfsense #1.

Does anyone have ideas on how this can be done? Probably just tired from the week but am failing at this.

 

[bds1904]

I think I am understanding this correctly.

Wan from ISP is 1.1.1.0/31
ISP has route 2.2.2.0/27 reachable via 1.1.1.2/31
Pfsense 1 has WAN IP 1.1.1.2/31
Pfsense 1 has WAN gateway 1.1.1.1/31
Pfsense 1 has LAN IP 2.2.2.30/27
Pfsense 1 has outbound nat disabled
Pfsense 1 firewall rule WAN "ipv4 destination this router drop"
Pfsense 1 firewall rule WAN "ipv4 destination 2.2.2.0/30 pass"
Pfsense 1 firewall rule LAN "allow all ipv4"
Pfsense 2 has WAN IP 2.2.2.1/27
Pfsense 2 has WAN gateway 2.2.2.30/27

Pfsense 1 can run DHCP for the "internal" public network, ids and any other service you want. This is exactly what I do with my home network to run transparent IDS on everything.

You can also add a second interface to PFsense 1 for a private network that NAT's out 1.1.1.2/31. PFsense 2 could also have interfaces added for multiple public IP's on 2.2.2.0/30.

This example is one where RouterOS wins out, you can have multiple public IP's on a single interface NAT'ing to the internal network.

 

[Patrick]

Yea, and the CCR1036 is sitting right next to the pfsense #2 box. I thought I did this setup last time, but let me see if that method works tomorrow.

 

[Diavuno]

two steps:

First a Simple 1-1 NAT one of your /27
all incoming on IP x.x.x.x goes to PFSense2

and to setup the return trip (basically setting up PFSense2 as a /31 out of your /27

Pf sense 1>firewall>virtual IPs
add a new rule:
type ip alias,
wan interface
type network
(IP address/subnet mask) (WAN IP of PFSense2)
save and apply

Pf Sense >firewall>nat
outbound tab, save in manual mode then add a new rule:
leave do not nat unchecked.
interface wan
select protocols
source (your internal server) (PFSense2)
destination any
translation choose your alias
save and apply.

move rule up or down in the outbound mappings.

If all goes well then that box should go out on the IP specified in your alias

 

[Canadap]

why not plug the WAN link from the ISP into a vlan capable switch. setup DHCP on PFS#1 and then plug PFS#2 into the same vlan? PFS#2 would be given a dhcp lease by PFS#1, in the future you only need to change vlan assignment to remove NAT from the equation.

We do this in our Colo with great results.

Edit: Not sure what this means in terms of security? I figured it out on the fly and haven't had anyone provide information indicating that the configuration presents undue risk...

Edit#2: I feel sheepish, palm>face my apologies for bringing this thread back, maybe it will be useful or relevant to someone in the future.