I am trying to come up with a way to consolidate two routers into one. I have the following network configuration:
LAN <-- a/24 --> NAT Firewall <-- x/29 --> Router <-- y/30 --> Internet
|
LAN2 <-- b/24 --> NAT Firewall <---
where a/24 and b/24 are my internal subnets, x/29 is a small block of public IPs we have been assigned, and y/30 is the internet connection supplied by the ISP.
Typically the ISP would own the router, but in this case we will own the NAT firewalls and the router. I'd like to avoid setting up three separate pfSense appliances and want to consolidate the whole thing into something like this:
LAN <-- a/24 --> Firewall/Router <-- y/30 --> Internet
|
LAN2 <-- b/24 <------
I would still need to be able to assign an address from the x/29 block as the external NAT address for each LAN, and allow port forwarding on those addresses to servers on the LAN (ex: web server).
Is it possible to combine multiple route hops using a single pfSense firewall?
UPDATE: To clarify, the x/29 is routed 'through' the y/30 block from the ISP's standpoint. In other words, the GW for the x/29 is one of the addresses in the y/30 block.
Your diagram uses x/29 and y/30 while the text uses y/29 and z/30, and your update saying x/29 uses a y/30 gateway further confuses things as you cannot use a gateway on another subnet. Perhaps adding IPs and netmasks would help. I shall assume a/24, b/24, x/29, y/30 and that the gateway you are referring to is the router with x/29 and y/30 interfaces.
The short answer is yes. The a/24 and b/24 subnets just need to be connected to separate ports on the firewall. That can be done physically using multiple adapters, or by VLAN if your switch(es) support it. The external interface on the firewall can be given the y/30 address of the existing router. The existing firewalls x/29 addresses can be setup as Virtual IP Addresses or you could setup a stub VLAN interface for x/29. You will need to adjust the automatically configured NAT rules and firewall rules (e.g. LAN->Any will need to be duplicated as LAN2->Any).
The bigger question in my mind is what purpose the router, x/29, and firewalls were designed for as-is? Presumably the NATs a/24 and b/24 could have been hung directly off the y/30 router, and b/24 could have been hung off the a/24 firewall. Is there some other requirement being missed here? With a/24 and b/24 behind existing NATs are they meant to stay isolated (in which case you will need to update the new firewall rules to deny LAN->LAN2 and LAN2->LAN) or should they be equal and routable with each other? Is x/29 in place to support additional (future?) devices like additional isolated firewalls "c/24", redundancy by allowing a second device, maintenance and upgrades by allowing a second device, etc..
Unless there is something wrong with the y/30 router I would not get rid of it (i.e. it has already been paid for, and presumably will not be reused). The x/29 network provides additional flexibility that will be lost if you collapse the firewalls and router into a single device. Whether you need that flexibility is an entirely different matter.