Router setup for weirdos like me

netblues

Your isp is @large with allocations.

Use the /26 on your wan ans the /24 on your lan.
Normal routing here, nothinf fancy.

No nat, no bridging, nothing special.
Use dhcp on your lan and distribute ip's with static allocations if you want to keep everything in one.

All filtering can be done on pf wan, even though this won't be the case if this is a hosting env.

Having said that, if your public facing hosts are also prone to attack each other behind your firewall, then you also need to segment your internal public zone.

fireix

So sorry guys, I didn't mean /26 for the "transport network". I ment /29, I only have a 5-6 IPs as a "solution". I have a business where I run pfSense with this setup. For 12+ years or so, I used Fortigate/Fortinet firewall, but been using pfSense for maybe last 6 years (with transparent setup/bridge, - it worked, until some problems appeared and people suggested to just use pfSense with transport layer /29 on the WAN-side to solve it). With 3 years on this special solution with transport network /29 on WAN-side and /24 on LAN-side, it has given me pretty good uptime.

Yes, a 1 gig line is more than powerful enough, actually using around 10-30% of that at max :) We are talking webservers, wordpress-sites, some non-cloud software and nothing super crazy. Trustworthy servers/clients with software fw on each device (and I have access to them all) - with IDS software to help detect any unwanted activity and usually Configserver or similar with strict setup on each. This way, I haven't needed to learn subnetting or routing, only the fun parts and license would work good on the cpanel/wordpress servers that binds to the IP (maye it would work with NAT and having local IPs on them - but I suspect it would mean a lot more work). I would never started this business it it wasn't for Fortinet and their simple transparent fw, big learning curve :)

So that's the history. You might ask why I'm not an expert network person after all these years, but the truth is that it started as a side business and I just learned whatever I could to keep me afloat - and no time to really learn it from the ground - and I still find network outside my scope super hard. I meet myself in the door now that I have a 2nd location with backup gear and some other stuff. There is limitation on power (expensive), so I can't have a full blown setup with devices (have a Mikrotik now) and tries to keep the number of units down. I need to have vms that can be spin up and get an static IP with their own public IP as outgoing.

I don't have /26 on my wan available, at best I can ask for a /29 (I do have the /24 just as now for both WAN/LAN), but I guess I can't have that same network on both sides with normal routers as it would work against how routers/most fw work). But there isn't a way I can have a self-made local IP on the WAN-side I guess? ;) I was hoping it was enough that it had a gw to the ISP, that I could just enter their upstream gw. I need my ISP to somehow "put" an extra/different network on my line? It is also part of the story that I get two network plugs from them (redundancy), where they switch traffic for me if one of their switches goes down.

So your reccomended solution: Ask my host on backup-site for a dedicated /29 (transport network just for "show"), put that on the WAN-interface and use my /24 public static IPs on the inside. Then setup full NAT and it should automatically route this out with their public static IP. That should be universal/best solution for all kind of routers/fw?

fireix

@steveits said in Router setup for weirdos like me:

I suppose whether a 10.x.x.x subnet will work depends on your ISP, they may not route private IPs on their network. I have actually seen ISPs that do that on their own network to save IPs, it just means people can't use the same subnet on their LAN.

Ok, so maybe an option if they allow. Anyway, I would need their permission/setup, it wouldn't work for me to just create a 10.x private on the WAN just to "fool" the router/fw to allow me to use my /24 public network inside. Thanks :)

netblues

@fireix Im totally confused.
You used to have fortigate, then you switched to pfsense and now you need a second backup site to host the same public facing services from another location?

Nat is the last of your worries in any case.

stephenw10

@fireix said in Router setup for weirdos like me:

Ask my host on backup-site for a dedicated /29 transport network

Yes that is by far the simplest (and best) solution if you can get it. And you really should be able to in a data center. Just have them route the /24 to you and you can use that directly on the LAN. No NAT required.

Steve

Derelict

@fireix said in Router setup for weirdos like me:

I always have to "fight" different router and firewall vendors and can't use such a simple setup out of the box. Why is this?

Because you have an interface subnet not a proper transport network with the subnet routed to you there.

fireix

@netblues said in Router setup for weirdos like me:

@fireix Im totally confused.
You used to have fortigate, then you switched to pfsense and now you need a second backup site to host the same public facing services from another location?

Nat is the last of your worries in any case.

Sorry to confuse you :) No, it is not the exact same services, it has different purpose - but it is similar in setup to what I have been doing for years (similar in the way that I mostly have public servers and not having private-ip-space). I have a OK setup today, but I would like an easier solution for this new site since I need to setup this site from scratch. I would like to simplify it compared to the Fortinet/pfSense-solution I have been running so far.

fireix

@stephenw10 said in Router setup for weirdos like me:

@fireix said in Router setup for weirdos like me:

Ask my host on backup-site for a dedicated /29 transport network

Yes that is by far the simplest (and best) solution if you can get it. And you really should be able to in a data center. Just have them route the /24 to you and you can use that directly on the LAN. No NAT required.

Steve

Yeah, that's what I basically have now, they publish the IP to the two network ports they have made available. So I can plug that cable into a switch and live well. But I do want a firewall (filter on IP-address and ports). In most cases, they seem to want me to have different network on each side (except "transparent" fortigate appliances - and even pfsense when configured with bridge and by disabling nat, just a bit more complicated for me) .

SteveITS

@fireix Why do you think you can’t have firewall rules? Allow from any to LANIP:443 etc.

Routers need different networks on interfaces so they know where to route. :) Bridges don’t route.

stephenw10

@fireix said in Router setup for weirdos like me:

they publish the IP to the two network ports they have made available.

That's not the same as routing it to you via a transport subnet/IP which is what you should be asking for.

fireix

@stephenw10 said in Router setup for weirdos like me:

@fireix said in Router setup for weirdos like me:

they publish the IP to the two network ports they have made available.

That's not the same as routing it to you via a transport subnet/IP which is what you should be asking for.

Ok, so you mean that it is the best solution? It is what I have at my original place. Just wondered if there is an way to do it without asking for more IP-ranges. And why do only devices like Fortigate provide this kind of mode.. Seems like Sopheus also have it documented. I have this limited separation need, would love to just put the device into the WAN->LAN and having it behave as a fw instead of having to do hacks and tricks ;) Just power on, choose the firewall rules on IP and tcp/udp-ports and run. Right now, I have tried for hours to put in a Unify USGX Pro into a line just to add some protection, but instead having to learn so much. It is always a detail I miss, like sometimes hidden nat-rules are added - or special things needed for each different vendor.

stephenw10

@fireix said in Router setup for weirdos like me:

Ok, so you mean that it is the best solution?

That's what I would choose over anything else if it's available.

You absolutely can configure pfSense as a transparent firewall if you need to it just requires some care. There is no 'transparent mode' button. It's easy to lock yourself out if the firewall if you don't have a separate management interface.

Steve

fireix

@stephenw10 said in Router setup for weirdos like me:

@fireix said in Router setup for weirdos like me:

Ok, so you mean that it is the best solution?

That's what I would choose over anything else if it's available.

You absolutely can configure pfSense as a transparent firewall if you need to it just requires some care. There is no 'transparent mode' button. It's easy to lock yourself out if the firewall if you don't have a separate management interface.

Steve

Having a seperate IPMI-network comes in handy in those situations :)

For not-that-technical users, I would think it would be a very welcoming thing to have an easy method to enable transparent fw. But having tons of public webservers maybe not the exact average users do.

Thanks for your help and advice :)