A handful of "getting started" routing questions
-
Long-time Gnatbox/GBOS user here. The fan on the GB850 started whining, GTA has closed up shop, so with recommendations from folks at the UBNT forums, decided to go with pfSense. Purchased a Netgate 6100, which is probably overkill, but would rather have some future-proof against increased bandwidth, etc. We have a block of 5 static IP addresses.
- if our block of usable IPs is WW.XX.YY.2-6, I would describe that as WW.XX.YY.2/29. Gateway will be WW.XX.YY.1. I have plowed through a chunk of the Netgate tutorials, and there seems to be some implication that I need to use VIPs to make this all work. Is that true? I can't just NAT/port-forward required services to the correct internal servers using IP addresses or aliases?
- everything suggests that local interfaces shoudn't have gateways explicitly assigned. But our DMZ (and quite a few of our LAN) machines have static internal IPs. With the Gnatbox, I was explicitly assigning these in the firewall to what you'd expect, and for DHCP, had the server handing out the same. The Netgate DHCP config allows providing a gateway for clients. If I leave both blank, for AA.BB.CC.0/24, what will the gateway default to? AA.BB.CC.1?
- lastly, not a routing question per se. I have assigned the WAN2 port on the 6100 to be our DMZ interface. From everything I have read/seen, that will route just like any other NIC, right?
Thanks in advance. Spent a fair while getting all the NAT stuff done, swapped the 6100 in for the GB850, and got nothing. I suspect I have some basic errors in the WAN interface settings, but would like to swat as many flies when I am next hooked up to the 6100 as possible.
--Richard
-
@rlmalisz said in A handful of "getting started" routing questions:
I need to use VIPs to make this all work. Is that true? I can't just NAT/port-forward required services to the correct internal servers using IP addresses or aliases?
pfSense needs to know those other IP addresses belong to it. Add them to the WAN (Firewall/Virtual IPs) as IP aliases and then in the NAT rule the Destination dropdown will have the aliases listed also.
local interfaces shoudn't have gateways explicitly assigned
If we're on the same page, that's talking about the LAN interface doesn't need a gateway. Client devices on the LAN do need the pfSense set as their gateway, which you can do via DHCP.
assigned the WAN2 port on the 6100 to be our DMZ
The names of the ports on the device itself are irrelevant, you can use them for whatever you need.
-
@steveits So I have set up "Virtual IP"s for the extra WAN addresses. I can describe them in the comment field, but not give them meaningful names. I have IP Aliases set up for these IPs as well, and would expect that it's okay to use those aliases in NAT port forwards. Is that not true?
And I am sure this is okay, but can't hurt to ask while there are experts around: I mis-described the WAN definition above. It's actually XX.YY.ZZ.6/29, gateway is XX.YY.ZZ.1. One of the WAN-facing server addresses is XX.YY.ZZ.2. It's my hope that there isn't some convention that the base address in the subnet will get used by the Netgate as its primary. I can move things around, but there would be some disruption to the server sitting at .2 while a move to .6 propagates through the DNS universe. Given this definition of the WAN subnet, will the Netgate use .6 as its primary?
--Richard
-
@rlmalisz The .6 would be the primary. You can check Status/Interfaces or go to http://checkip.dyndns.org/ from behind it.
Yes you can use aliases in the NAT rules.
-
I have also a /29 subnet from my ISP, because my router is a Fritzbox I am not able to use Virtual IPs because the Fritzbox is not able to make a port forwarding / Exposed Host to a MAC with multiple IP (aliases)
Is there any way to add more physical networkinterfaces with each own public ip from the /29 subnet?
WW.XX.YY.2/29 - WAN2
WW.XX.YY.3/29 - WAN3
WW.XX.YY.4/29 - WAN4
... -
@zulasch Possibly VLANs but the Fritzbox would presumably need to communicate on the VLAN... If not that then extra NICs in the pfSense router.
Can the Fritzbox just set the pfSense as its DMZ and forward all traffic?
-
unfortunately the Fritzbox don`t support DMZ, just the Exposed Host function but this allows only one IP with a unique Mac address. This is also the big fail of the Fritzbox.
What do you mean with extra NICs? Because I have multiple NICs but this dosen't work:
WW.XX.YY.2/29 Gateway WW.XX.YY.1 -> WAN2 (NIC 1)
WW.XX.YY.3/29 Gateway None -> WAN2 (NIC 1) <- This is not working, i get the following error:The following input errors were detected:
IPv4 address WW.XX.YY.3/29 is being used by or overlaps with: WAN2 (WW.XX.YY.2/29)I have foud that some has the same issue and tried OPNSense, and so I decided to try it... It works, on OPNSene I am able to add extra NICs with the same /29 Subnet. But I dont want to switch to OPNSense, because I like the pfSense.
Is this a pfSense limitation?
zulasch
-
@zulasch I've always done that using a virtual IP. I suppose it makes sense that it blocks you because otherwise pfSense doesn't know where to route traffic for those other interfaces...if the route is set up the same on all of them (WW.XX.YY.0/29 is on WAN1 but also WAN2...check Diagnostics/Routes in both products to compare).
-
Yes, virtual IPs is the correct way, but this f..k Fritzbox
The routes are looking the same...
pfSense routes:
Destination Gateway Flags Use Mtu Netif default WW.XX.YY.201 UGS 6859567 1500 vtnet0 ... WW.XX.YY.200/29 link#1 U 307660 1500 vtnet0 WW.XX.YY.205 link#1 UHS 188 16384 lo0 ...OPNSense routes:
Proto Destination Gateway Flags Use MTU Netif Netif (name) ipv4 default WW.XX.YY.201 UGS NaN 1500 vtnet0 WAN202 ... ipv4 WW.XX.YY.200/29 link#1 U NaN 1500 vtnet0 WAN202 ipv4 WW.XX.YY.202 link#1 UHS NaN 16384 lo0 Loopback ipv4 WW.XX.YY.203 link#2 UHS NaN 16384 lo0 Loopback ipv4 WW.XX.YY.204 link#5 UHS NaN 16384 lo0 Loopback ...I really don`t understand the difference between OPNSense and pfSense in this topic...