Using a chart like http://www.engineeringradio.us/blog/wp-content/uploads/2013/01/Subnet_Chart.pdf you can see the different /28 and /29 subnets that exist on a /24 network.
You would bind the .248/29 network to the WAN interface (use a /29 to leave a few extra addresses). Then you would bind an reserved network (10.X, 192,168,X 172.16,X) to the LAN interface. Then on your third interface, you would bind multiple networks, .240/29, .232/29, .224/29, etc to the OPT1/DMZ interface. Then each customer would use put there equipment directly on that that network. If the customers have routers themselves, you might want to setup a bunch of /30 networks (.252/30, .248/30, .244/30, .236/30, .232/30) for your and the customer's WAN interfaces. Then start down from .224 and assign /29 networks for the customer's DMZ/OPT1 interfaces. Unless the customer is running without NAT, then the addresses could be put on the customer's LAN interfaces. The big trick here is make sure than none of your networks have overlapping IP address ranges. The chart above is very helpful for tracking different sizes. This means that you can't put .254 on one interface and .249/29 on a different interface as those networks overlap. Walter On Tue, Mar 24, 2015 at 5:24 PM, Chris L <c...@viptalk.net> wrote: > > > On Mar 24, 2015, at 5:12 PM, Joseph H <jharde...@cirracore.com> wrote: > > > > I have a buddy and he wants to use pfSense as his firewall to protect > his devices and also provide a gateway for customers. And he has asked me > if I know of a good way to set this up, so I decided to ask the list > > > > He has gotten a /24 subnet, he wants to use a small section of it for > his web site and stuff, and then split off subnets to several customers. > For instance, he was given a gateway of x.x.x.254 by his provider, he will > use the x.x.x.249/29 for his own use, then wants to pass subnets through to > his customers in say several /28's or /29's. > > > > Does anyone know of an easy way to set this up? He has a server with 3 > interfaces to use for this. > > > > To make this a LOT easier (or even possible at all without 1:1 NAT) he > should ask the provider for a /29 or /30 for his WAN interface with the /24 > routed to an IP address on that. > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
_______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
