Pfsense wan dmz apache vhosts public ips
-
Do those xxx.xxx.xxx all represent the same prefix?
.88 is the network address for that /29 and should not be used directly like that. .89 is the first usable address.
That will work as long as your provider is routing xxx.xxx.xxx.88/29 to you via xxx.xxx.xxx.87
If they have simply provided a /29 sized range of IPs on the WAN directly then you would have to bridge WAN and DMZ or use VIPs and port forwards.
Steve
-
Thank you for the reply.
Yes, the xxx.xxx.xxx. all represent the same prefix but I only receive the /29 range based on the last octet.
The .87 IP address was to give the WAN it's own IP
The .94 is a /29 that does not include the .87 which is a /32Because the WAN and the DMZ can't be on the same subnet.
Error received when that attempt was made.
The following input errors were detected:IPv4 address xxx.xxx.xxx.88/29 is being used by or overlaps with: DMZ (xxx.xxx.xxx.94/29) This IPv4 address is the network address and cannot be usedI appreciate the link. This is what I was reading in the documents.
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.htmlAnd the section titled IP assignments is where I got my information from. Along with the part about hybrid NAT but that is for outbound traffic.
I see your link it says
To assign public IP addresses directly to hosts behind the firewall, a dedicated interface for those hosts must be bridged to WAN.
So I am going to go with that. I mean if I am wrong I come back and grovel for more information. Thank you for your help I post a reply to let you and everyone know what happens.
Again, thank you for the help I appreciate it.
-
@understudy said in Pfsense wan dmz apache vhosts public ips:
To assign public IP addresses directly to hosts behind the firewall, a dedicated interface for those hosts must be bridged to WAN.
So I am going to go with that.If your ISP is routing the /29 to you via the /32 WAN address then you don't need to bridge. And avoiding bridges is almost always preferable!
It's unclear to me what IPs or subnets you actually have. What info has your provider actually given you?
Steve
-
The ISP has it's gateway of .81
I originally just had an IP of .87
Then I got the range from .88 to .94 I don't believe anything was said about routing the range through .87 . It is just legacy from when I first starting using them. The .87 is a /32 so it is alone
The range is .88-94/29 And that should all look for .81 (gateway) Which so far it has been doing.I chose to use the .87 for the WAN because it was a stand alone. The range .94/29 for the DMZ because it was a seemingly sensible idea setup.
If I can avoid the bridge that would be great. So I will take any further advice, comments, or helpful links you can provide.
Thank you again.
-
If they are all using .81 as the gateway then they are all expecting to be in the same layer 2 segment as that. Hence you will need to use a bridge if you want to use those IPs on hosts in the DMZ directly.
However that then isn't a /29 subnet. You probably will need to expand that on the clients to something that includes the gateway.
The DMZ interface in pfSense should not have an IP address in that case. pfSense can only have IP address in a subnet.Steve
-
Then I will create the bridge and go at it that way. Thank you.
Should I have to do anything with the DNS?
-
Clients will need to be statically configured for DNS. That could be the pfSense WAN IP as long as there are rules to allow that.
However pfSense would then need to have it's own subnet mask on WAN expanded in order to reply back to clients directly. Otherwise it will try to use the gateway creating an asymmetric route.Steve
-
Okay, so things are looking good.
I know I have a ton of stuff to setup on the firewall but lets go over what I have here.
WAN xxx.xxx.xxx.94/29 up and working
LAN 192.168.1.1 up and working
DMZ up and working (no ip assigned)
Bridge0 up and working (no ip assigned) (WAN DMZ)Firewall / Nat / Outbound
Outbound Nat Mode Hybrid
Mappings Do not NAT (enable)Firewall / Rules / WAN
pass ICMP
pass DNS
pass 21, 22, 80, 443LAN
Default rulesetDMZ
No rulesetBridge0
No rulesetI have tested on the LAN the standard items email, print, traffic out to internet. All is good.
On the Bridge0 I can see the web pages, I can also ssh in from remote location. ICMP works and the pages respond to DNS.Overall this is a good start. I will close out this post if there is a special button or something I press I will do so.
Next up will be proper firewall rules , blocking, and logging.
Thank you for your help.
-
Seems like you "live" within "this" /28
But why would you insist on using the public IP's in the DMZ , and having to resort to all kinds of "Trickery".
Why not use pfSense VIP's , that 1:1 nat into the DMZ ?
/Bingo
-
There are somethings that just work better with real public IPs directly. There are somethings that are almost impossible to make work behind NAT. Mostly older PBX software in my experience.
I've setup bridged DMZ interfaces like this for in those situations.
However it has always been using IPs that are all in one larger subnet like the /28 shown. I suspect that must be the case here.Steve
-
@stephenw10
You make a point there ...I have a "Major Brand" PBX that absolutely won't work if NAT'ed.
/Bingo
-
U Understudy referenced this topic on
-
U Understudy referenced this topic on
