-2

I'm colocating a 1U server with a 1U pfsense firewall (first time doing this) and the datacenter gave me the following:

IPv4 address block: x.x.x.225/28
Gateway: x.x.x.226
Subnet mask: 255.255.255.240

Using the available online subnet calculators, I see that my usable IP range is x.x.x.225 - x.x.x.238

The provider is giving me a single cable from their switch into my firewall.

  1. What IP address should I give the firewall and did they make a mistake on the gateway? That gateway seems to be one of my own usable IPs.

  2. What IP address should I set as a gateway in the firewall itself?

Winker
  • 97
  • 1
  • 6
  • 1
    After having a look at your [other related question](https://serverfault.com/questions/869253/can-you-plug-the-ipmi-port-back-into-another-nic-in-the-same-server), which describes a wholly different topology (an ESX server with one VM acting as firewall and one client VM) I am thinking that you may be trying to bite off more than you can chew, and you **will** end up hurting yourself and/or your clients. That kind of setup isn't something one can cobble together with just some answers on SF... May I kindly suggest to get some qualified help with this setup? – fvu Aug 18 '17 at 17:31

1 Answers1

5

What IP address should I give the firewall

Any address you want that is not .225, .226 or .239

and did they make a mistake on the gateway? That gateway seems to be one of my own usable IPs.

No, they didn't make a mistake. I'm personally not a huge fan of this sort of setup, but I have seen it before. Basically their router sits inside your broadcast domain. Ideally they would give you a /31 and a vlan tag for your uplink, but perhaps they are trying to save on IP addresses?

What IP address should I set as a gateway in the firewall itself?

The IP address they told you to set - x.x.x.226

Things to note: There are potential problems with this setup. If you assign public IP addresses to other devices and use your firewall as the default gateway, when the packets come back they may bypass your firewall, as the upstream will not know to forward the packets to your firewall - it may just forward them directly to your devices (because their gateway is inside your subnet).

The ways around this are:

  1. Ask them to give you a /31 for the uplink to their network
  2. Put your firewall into transparent mode. Don't use it as a gateway, but rather have it "inline" with your uplink to their network, and set their router as the default gateway on all your machines with public IP addresses
  3. Assign all your public IP addresses to your firewall and use 1:1 NAT to translate them to internal IPs (yuck)
Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
  • Thanks a ton for this help Mark. In the first line, did you mean `.255 and .256` or was that a typo and meant `.225 and .226`. I'm new to network so just wanted to confirm. Your answer has provided a lot of clarity! – Winker Aug 18 '17 at 17:30
  • 2
    That was a typo - fixed! – Mark Henderson Aug 18 '17 at 17:31