VIP setup for web hosting
-
Hello,
Setting up a new Netgate 6100 and virtualization host and looking for some advice on how best to configure it for my intended purposes.
Environment will consist of the following:
pfSense (Netgate 6100)
Edgeswitch Lite
2 Hyper-V HostsLet's say my ISP provides a public CIDR block: 1.1.1.0/26
pfSense configuration:
Upstream Gateway: 1.1.1.1
WAN IPv4: 1.1.1.2 (Should this be /26 as well?)
LAN IPv4: 10.0.0.1/24The LAN will be reserved for management (pfSense, switch, host servers, management VMs, .etc)
Each Hyper-V host has 2 physical NICs that are joined as a team for performance/fault tolerance. There is a single virtual switch associated with the team.
I want to make the available public IPs (1.1.1.3-62) available for virtual web servers in a DMZ VLAN (VLAN 10). These VMs would have a VLAN ID of 10 set on their network adapter.
So I'd create a VLAN 10: 10.0.10.1/26
On configuring the Virtual IPs...
https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.htmlAccording to this, I believe I'll want to use Proxy ARP and 1:1 NAT to route traffic to my web servers in the DMZ VLAN. If that's correct then:
Virtual IPs
Address Type: Network
Address(es): 1.1.1.0/26NAT 1:1
Is it best to configure this per public IP, or the entire range? If the entire range, do I want to use 1.1.1.3 as the External subnet IP with the Internal set to 10.0.10.0/26? I didn't know if there was any potential conflict with the Gateway and WAN in this same subnet.Obviously then there's the configuring of rules and likely pfBlockerNG-devel. Anything I'm messing up here or is this on the right path? Thanks in advance for any help or advice!
-
@wesleywillis said in VIP setup for web hosting:
Let's say my ISP provides a public CIDR block: 1.1.1.0/26
Did you only get this block, or do you have a primary IP, which the block is routed to?
WAN IPv4: 1.1.1.2 (Should this be /26 as well?)
Yes.
Otherwise pfSense would complain that the gateway IP is outside of the WAN subnet.You have to state the gateway in the WAN interface settings.
If you only have one block you need to assign each additional IP as type IP alias to WAN.
If the block is routed to the primary IP you can use the IPs in NAT rules without assigning them before.NAT 1:1
Is it best to configure this per public IP, or the entire range?Both is possible. You can also split the subnet into e.g. a /27 and some single IPs in the NAT rules.
If you use a subnet, the target IPs need to be sequentially, of course. -
Thanks for replying! Yes, I confirmed that I only get that block as described under 'Simple IP Subnet on WAN':
https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html#single-ip-subnet-on-wanAs for setting them up... Alias IP or Proxy ARP? I had been told previously (and configured the older router) to use Proxy ARP. But I'm not sure I'm clear on the differences?
Understood on the NAT. I want all available IPs to map 1:1 sequentially with their internal counterpart. So in my case the /26 block gets used as such:
1.1.1.1: Gateway
1.1.1.2: WAN
1.1.1.3 -> 10.0.10.3
1.1.1.4 -> 10.0.10.4
1.1.1.5 -> 10.0.10.5
and so on...So I'm assuming it's easiest to just setup NAT 1:1 as such:
External IP: 1.1.1.3/26
Internal IP: 10.0.10.3/26 -
@wesleywillis said in VIP setup for web hosting:
I confirmed that I only get that block as described under 'Simple IP Subnet on WAN':
Yes, in this case you'd probably better go with Proxy ARP, so you can cover the whole subnet with a single VIP assignment.
It is a good way, when you want to forward the whole subnet behind pfSense.So I'm assuming it's easiest to just setup NAT 1:1 as such:
External IP: 1.1.1.3/26
Internal IP: 10.0.10.3/26Possibly you may have to state the network address here, when using network type.