Dave Hall Consulting logo


pfSense and Routed Subnets

I have a few clients running IPCop firewall appliance boxes, but for more complex setups (such as multiple WAN connections) I use pfSense. pfSense is a FreeBSD based firewall appliance. pfSense comes in 2 flavours, one of which is designed to run on low spec embedded hardware, such as that sold by Yawarra Information Appliances. I know that I could just use a bash scripts or Shorewallbut not all my clients are command line ninjas, and I have better things to do with my time.

Until recently in Austalia, "residential grade" ADSL connections used PPPoA/PPPoE (aka Layer 3), while "business grade" services were almost exclusively RFC 1483 bridged connections (aka Layer 2). Earlier this year, Telstra Wholesale have stopped offering Layer 2 connections, and are they are now in the process of migrating all resellers' customers to Layer 3 services. For customers with a single usable static IP address this is unlikely to mean any real change. For customers with larger IP allocations (say /29s or larger) they will switch from an IP block being available from the modem to PPPoE with additional IPs being available via a routed subnet.

After some discussion and playing, I found out there are 2 ways to get a routed subnet working with a pfSense box.

Option A - Firewall handles PPPoE and subnet used on DMZ

This is the solution I went for recently for a new connection setup for a client.

  • Configure ADSL modem/router to run in fully bridged mode
  • Configure pfSense's WAN interface to use PPPoE and fill in the appropriate information.
  • Configure the DMZ to use the routed subnet
  • Assign the first usable IP address to the DMZ interface (usually OPT1) on the pfSense box
  • Allocate the remaining IPs to the boxes in the DMZ
  • Setup your rules appropriately

Option B - Modem handles the PPPoE and subnet used on WAN

This method seems to make more sense for people moving from Layer 2 to Layer 3 connections. Please be aware that I haven't tested this, but I am told it should work.

  • Configure ADSL modem/router to work as router connecting via PPPoE
  • Configure the Ethernet port on the modem/router to use the first usable IP address from the routed subnet range
  • Configure pfSense's WAN interface to use a "static" connection and fill in the appropriate information, with the second usable IP address being assigned to the interface.
  • Assign any left over IP addresses as "Proxy ARP" addresses under Virtual IPs
  • Setup your rules and NATing appropriately

I hope someone find this useful.

Most homes don't really have broadband in Australia

I am bashing out this post on a unreliable 384/64kpbs UTMS (3G data) connection, which feels painfully slow at times compared to my 8000/384kpbs (which is more like 6500/300) ADSL connection at home. Even when I had 1536/256kpbs at home I felt like I was better off than a lot of other people. Most non geeks I know have 512/128kbps.

According Democrats in the US congress 2Mbit/s should be the minimum speed for "broadband". Although that is now available to many homes in Australia, the cost of anything faster than 512/128 isn't seen as value for money by many people. I know several people who would like a lower quota and higher speeds for the same price as they are paying now. Even for many businesses (less than 5 people), they see 512/128 as being good enough for email and web browsing. 2048/512 would allow business to use new services such as VoIP and cheap video conferencing, which could improve the level of service they offer to their customers while improving the bottom line.

The biggest barriers to affordable high speed connections in Australia is Sol Trujillo and the other untrustworthy Wiggles at Telstra. Hopefully if there is a change of government at the next Federal election, the "Group of 9 Fibre to the Node network might get built and be open to competition.