On Oct 16, 2010, at 9:16 AM, Lyle Giese wrote: > li...@mgreg.com wrote: >> Hi All, >> >> Having a bit of a problem wrapping my head around a particular network >> setup. Basically the scenario is as follows: >> >> -- 1 ISP (Cable Internet Provider) >> -- 5 Available static IPs >> -- 1 Cable Modem >> -- 1 Generic PC with 2 NICs (running pfSense) >> -- 1 Gigabit Switch with 20+ PCs connected >> >> >> The current physical setup is as follows: >> >> ISP (5 STATIC IPs) --> CABLE MODEM --> pfSense Box (2 NICs) --> 32-port Gb >> Switch --> 20+ PCs >> >> >> I need to be able to do each of the following: >> >> 1) Connect a router downstream from the pfSense box to use 1 of the 5 >> available IPs -- so as to segregate networks >> 2) Route all traffic from 2 of the 5 available static IPs to a single PC >> whilst maintaining their "internal" (10.0.0.x) status. >> >> I'm not really sure what I need to be looking into for this -- VLANs, BGP, >> General Multihoming, NAT? Do I need more hardware? Be as descriptive as >> you deem necessary. >> >> Currently the entire network is just running off a single static IP address >> (i.e. a run-of-the-mill cable internet setup with pfSense box as the router) >> >> >> >> Best, >> >> Michael >> >> > Not sure what you are going to use the second box for or why, but I > would consider putting a switch between the cable modem and pfsense and > just use on of the static ip addresses directly and not put that traffic > through the existing pfsense box. > > We do that for one of our larger clients and provide views in dns so > that the internal pc's get different ip address for mail or the company > website so that traffic never hits the routable ip addresses. The > webserver and mail servers are dual homed with external and internal ip > addresses. > > Lyle
Thanks Lyle, Basically we want a central point to monitor all incoming/outgoing traffic regardless of the network. We just figure since we already have the pfSense box in place we'll passthrough for whatever else we need. Also, we want all but one of the boxes that get a STATIC IP to still be accessible internally. For instance, our ISP gives us a pool of addresses from 85.100.100.46 - 50 (not real, but play along). The main pfSense box will have 85.100.100.46 and will also control all traffic. Then we'll have one box that actually *is* 85.100.100.47 that isn't visible on the local network, then another box to which we simply pass all traffic that would otherwise route to 85.100.100.48 - 50, but is still accessible via 10.0.0.x on the local network. Obviously port forwarding is preferable in many cases, but in this particular case there are several services running on these machines that would require a great deal of port forwarding. So, instead of doing that, we simply allow them to have their own "external" IP. If there is no "good" way to do this (even via VLANs) from pfSense then I'll request an additional switch. But I don't want to suggest the spending of more money unless 100% necessary. Thanks again for any help. Best, Michael --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
