0

We have an AS number for a C class (/24) and 2 providers.

Currently I have a Fortigate and a pfSense in the network. Fortigate is doing the BGP, and pfSense is doing the NAT, DMZ, VPN, VLAN.

We are using 1 IP to route all internal traffic, 1:1 NAT for DMZ servers,

I want to have everything in pfSense. I haven't seen any tutorial on how to configure this.

The problem seems to be that the 1:1 mapping needs to be associated to one interface.

I saw that in EdgeRouter from Ubiquity, they are using a term "black hole" when you don't know on which interface the traffic will be routed.

Does any one know if it possible o have NAT + BGP on the same pfSense machine?

Alin
  • 9
  • 2

1 Answers1

0

Possible, yes. Good idea, eh, probably not. OpenBGPD has stability issues at times, and there are inherent complications in stateful filtering and asymmetric routing. pf also performs poorly under DDoS, likely making it difficult to stay online even with a small scale attack. The network edge where you're doing BGP is the job for a router.

I'd do the BGP on routers rather than firewalls, put the firewalls inside a pair of routers (one per ISP, interconnected, for HA).

Chris Buechler
  • 2,938
  • 14
  • 18
  • It is true that pfSense is a firewall, not a router. My concern is that is not technical possible. – Alin Nov 05 '16 at 06:30