> -----Original Message----- > From: list-boun...@lists.pfsense.org [mailto:list- > boun...@lists.pfsense.org] On Behalf Of Jason T. Slack-Moehrle > Sent: Friday, February 10, 2012 1:51 PM > To: pfSense support and discussion > Subject: Re: [pfSense] pfSense help with creating rules > > HI, > > Wait, are you saying I could just pay Comcast for 14 addresses and > create a routed subnet myself and not have them do it? > > > > Or could I just have them create for me a 2nd IP block of 1 IP, > load that on the modem with my block of 5 and somehow created a > routed subnet from the /31 to my /29 without them? so that pfSense > is setup the correct way? > > OK, Comcast called me back and they are saying for me to: > > 1. load my /29 on the WAN port of the pfsense box 2. Create a vlan > for something like 10.0.0.x 3. Create a 1:1 NAT for the public IP's > in the /29 to a 10.0.0.x 4. Assign my servers a 10.0.0.x address, > etc > > They say they cannot create a routed subnet for me because the > modems they use cannot handle loading of multiple IP blocks. > > Is this viable? > > -Jason
So, as expected, they recommend port forwarding. (1:1 NAT is a special case of port forwarding, or vice-versa depending on how you want to look at it.) The excuse about the modem not handling it is complete BS; what they really mean is "we don't have an operational procedure to support this, and we don't feel like developing one, so we'll make up a plausible-sounding technical reason". They'll be using a Cisco uBR7206 at the very minimum to handle HFC routing; it might not be Cisco in your area, or it might not be a uBR platform, but your next-hop router WILL be capable enough to handle a single static route. All the modem has to do is its traditional function of bridging a single MAC address back and forth over the wire. Depending on the modem, they *may* have to turn off some of the IP security features ("snooping") in the modem. However, there's nothing that says you have the "right" to a properly-routed subnet - Comcast has no obligation whatsoever to provide this service to you at any price. It doesn't really matter, as you have two other viable options available to you (NAT and bridging, or both if you want a traditional DMZ). The other thing is - even if you get a routed subnet out of Comcast, do you really want to be the guinea pig in your operating territory? Relying on something where you're the only customer affected if something goes wrong is a good way to garner a lot of needless downtime. If you're using the "regular" service, and something goes wrong, you'll be back in business as soon as everyone else is - which is usually fairly quickly, because HFC network outages tend to be all-or-nothing events. Standardization would be, IMHO, worth the extra complexity and/or effort. This is the way I set up any firewall on a cable modem nowadays; even DSL providers are starting to adopt this model for "small business" customers (i.e. /28 or smaller) in some cases. Or, in short: yes, just go with what Comcast wants you to do. You can create a separate DMZ if you want to keep the servers off your LAN, if necessary. It's not usually necessary unless you're running a public website. (Which, BTW, might violate your Comcast Terms of Service - check to be sure. No sense getting shut down by your ISP for something avoidable.) -Adam Thompson athom...@athompso.net _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list