Dave Hall Consulting logo

pfSense and Routed Subnets

I have a few clients running IPCop firewall appliance boxes, but for more complex setups (such as multiple WAN connections) I use pfSense. pfSense is a FreeBSD based firewall appliance. pfSense comes in 2 flavours, one of which is designed to run on low spec embedded hardware, such as that sold by Yawarra Information Appliances. I know that I could just use a bash scripts or Shorewallbut not all my clients are command line ninjas, and I have better things to do with my time.

Until recently in Austalia, "residential grade" ADSL connections used PPPoA/PPPoE (aka Layer 3), while "business grade" services were almost exclusively RFC 1483 bridged connections (aka Layer 2). Earlier this year, Telstra Wholesale have stopped offering Layer 2 connections, and are they are now in the process of migrating all resellers' customers to Layer 3 services. For customers with a single usable static IP address this is unlikely to mean any real change. For customers with larger IP allocations (say /29s or larger) they will switch from an IP block being available from the modem to PPPoE with additional IPs being available via a routed subnet.

After some discussion and playing, I found out there are 2 ways to get a routed subnet working with a pfSense box.

Option A - Firewall handles PPPoE and subnet used on DMZ

This is the solution I went for recently for a new connection setup for a client.

  • Configure ADSL modem/router to run in fully bridged mode
  • Configure pfSense's WAN interface to use PPPoE and fill in the appropriate information.
  • Configure the DMZ to use the routed subnet
  • Assign the first usable IP address to the DMZ interface (usually OPT1) on the pfSense box
  • Allocate the remaining IPs to the boxes in the DMZ
  • Setup your rules appropriately

Option B - Modem handles the PPPoE and subnet used on WAN

This method seems to make more sense for people moving from Layer 2 to Layer 3 connections. Please be aware that I haven't tested this, but I am told it should work.

  • Configure ADSL modem/router to work as router connecting via PPPoE
  • Configure the Ethernet port on the modem/router to use the first usable IP address from the routed subnet range
  • Configure pfSense's WAN interface to use a "static" connection and fill in the appropriate information, with the second usable IP address being assigned to the interface.
  • Assign any left over IP addresses as "Proxy ARP" addresses under Virtual IPs
  • Setup your rules and NATing appropriately

I hope someone find this useful.

persistant connections

Anonymous wrote:

how do you ensure persistant conections for banking, ftp, ect. in pfsense with multi wan setup?

thanks in advance. [email protected]

Added Wed, 2007-09-26 21:14


Dave wrote:

When I use pfSense with a multi WAN config I have 2 distinct networks - WAN and a private IP network.

For load balancing, you can setup rules to ensure that the traffic goes where you want it to go. I don't have a lot of experience using such setups.

Added Tue, 2007-10-02 22:59

Hi There, I have an ISP that

Jonny wrote:

Hi There, I have an ISP that can give me 8 static IP addresses.

If I use pfSense, can I use PPPoE to gain the first public IP address, then use NAT to forward the other IPs to certain servers?

I don't wish to assign my internal servers/clients public IPs. How would i go about this?

Many Thanks for your help!

Added Tue, 2008-04-22 05:44

RE: Hi There, I have an ISP that

Dave wrote:

I am in a hotel room without access my pfSense box, but IIRC you assign it as a Virtual IP address.

Added Tue, 2008-04-22 05:53

Hi my name is Andy, i'm A

andy wrote:

Hi my name is Andy, i'm A technical assistance at ict academy, i would like to know how to have to ISP connected to pfsense?

Added Tue, 2010-07-20 21:28

Need PF Sense Knowledge

Vishal wrote:


I need you PfSense Guru Gyan(Knowledge) I have following sample IP Structure given by the ISP, and i need to configure my PfSense box

WAN Pool: TCL end WAN IP: to be configured at provider router interface allocated for particular customer Customer end WAN IP: to be configured at customer end router WAN interface(interface facing provider, connecting provider link/cable)

LAN Pool: Customer router LAN Interface: to be configured at customer end router LAN Interface(interface facing customer LAN/switch)

Customer LAN equipments: to to be configured at customer equipments/servers etc

Un-usable IPs: 1st & last: & Customer LAN Gateway: In router, LAN Pool to be routed towards provider end WAN IP:

Above are the sample concept used for IP routing for WAN/LAN or static routing. How to acheive this in PfSense i fail to understand, please help me out.

Regards Vishal Gupta

Added Wed, 2013-03-06 05:26

Hi Dave wondering what's DMZ in option A though?

Sid wrote:

Thanks for your post it really something I am after. Actually option A makes more sense to meJust wondering what is the DMZ in option A? And also in option A is there any way let you access the modem/router's web config interface? Cheers.

Added Tue, 2014-07-01 14:14

PFsense routed subnets

Victor R. wrote:

Hello Dave, I'm very new to PFsense, but I love the product.

I started using this at my work place for basic private setup, but i'd like to start using this with a multi-wan and more importantly with routed services from my IPS spare IP blocks.

I was reading the above note, but since my ISP provides a direct fiber hand-off, I cannot apply the PPoE solution. I'm wondering if these steps would simply be skipped and followed? -- (i will be trying this next)

My setup is ISP hand off --> /29 block1 - /25 block2 i want to break out block2 (/25) to distribute managed "public IPs" to customers and re-sale ISP services with traffic shape or rate limiting services.

I been googling around and cannot seem to find this type of setup but again, i'm just newly introduced to PFsense, so i feel I got a long way to go.

any help would greatly be appreciated! Thank you


Added Mon, 2016-02-29 06:07