WAN is /29

Ross 0

Hello, I'm stuck here with initial design. My WAN is a /29 giving me 5 static IPs, with the default gateway on the ISP's cable modem. It's delivered all on one ethernet port.
I can assign one of the IP's to the WAN side of pfsense = joy with me able to make a connection to the outside with the LAN side.
The pfsense box has 6 ports - WAN, LAN, Opt 1 - Opt 4. I want to have my home network (Wired) on LAN. I also want to have my home wi-fi on it's own ip (Opt1)? Next I have two web sites that I'm building and want each to have their own static IP. I know, so much typing... how do I get the /29 network to work with only one WAN?

ISP---/29-----> PFSENSE ----WAN (1 IP), LAN to wired home;
-----OPT1 (2nd IP) to home wifi access point;
--- OPT2 (3rd IP) to web server 1;
----OPT3 (4th IP) to web server 2;
---- OPT 4 (reserved...for when I become rich and famous!)
Any bit of help is GREATLY appreciated since I'm probably WAY off target with this design..... Thank you

Popolou

@ross-0 This should get you started: https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html

Also, read through to the next page on Virtual IPs. If any issues, post back and someone will surely assist.

pops

stephenw10

If the /29 is provided to directly on the WAN, rather than routed to you via some other IP, then you will have to use Virtual IPs and NAT traffic to/from them to where ever you need it.

jlw52761

use the /29 only on WAN interface, use VLANs internally. You will only consume a single IP in the /29, but that's OK. You could setup a CARP VirtualIP using another of the IPs int he /29, then if you ever got a second firewall and wanted HA you could pass the VirtualIP back and forth as a floating WAN IP.
Definately place all the devices either on VLAN's using the LAN interface, or use the OPT interfaces for the seperate networks but only connected internally. What you are trying to do doesn't make much sense as it's written to be honest, but maybe I'm just reading it wrong.

Ross 0

@jlw52761 Hello, I'm confused, why doesn't it make sense? I know it's not working, so my logic must be fubar that's why you're all confused.
I have one /29 public IP addresses delivered from Spectrum modem to me via one ethernet cable. The gateway (which is assigned to the modem), and 5 usable IPs for me. If I attach a laptop directly to the modem and assign each static IP to it, they work and "what's my IP" shows each of them correctly.

My Hopes: I need to use 1 IP for home (wired), 1 IP for my wireless "smart devices", and two IP's for web servers I'm trying to bring up, with one reserved for future confusion! Each web servers will be on one of the public IP's initially until I learn how to NAT (whatever) them so they are safer.
Failures so far:
I tried to bridge the opt 1 to WAN (WAN assigned 2nd IP, with 1st as gateway on modem), attaching my laptop to opt1 with one of the static IP's assigned to it = no joy.

I created virtual IP's, for each of the 4 IPs individually on the WAN side, bridged the opt1 to the WAN. Attached laptop to opt1, assigned each of the 4 IP's to the laptop (one at a time) = no joy.
I then tried to virtual IP a /29 (all addresses w/the network as the assignment w/ a /29 on the WAN..... same results = no joy.
I know, this is really silly, but I had to try/learn....I even attached the cable from the modem to a switch, I connected 5 cables to pfsense (I have a six port device) with the LAN only left (now totally defeating my hopes). I assigned each of the public IPs to wan and opt 1-4. LAN worked with the WAN assignment, but now I have no ports for my "dreams". = no joy.

I know it can be done, I'm just bewildered about how! :(.... ah duh!!! I'm not smart, but I keep persevering until success. )
I hope that helps your confusion, I know it's no where near what I'm experiencing right now. (stealing your blues!! :) So BIG THANKS for your help and reply.
---Ross

SteveITS

@ross-0 No bridging…once the virtual IPs are set up on WAN use hybrid/manual outbound NAT rules to control outgoing connections. Normal NAT for any inbound (destination vip, not WAN IP).

Jarhead

@ross-0 Did you add firewall rules to the OPT interfaces?
LAN is the only interface with a default ANY rule.

jlw52761

@ross-0 It doesn't make sense because in order to "assign" the public IPs to those networks, you have to use NAT, which you've stated you don't want to do. The only other way to do that is have things on the public side of the firewall, like when you plugged your computer directly into the cable modem.

Additionally, pfSense will treat the LAN, and OPT interfaces as internal LAN interfaces and want to route traffic out through the WAN interface, which by default has Automatic Outbound NAT configured. You can configure the other interfaces to act as a WAN interface and perform direct routing and outbound NAT, but there's no advantage to that in your scenario. You only need the single IP on the WAN interface, the other interfaces will be internal and route traffic out through the WAN. If you want to have the other external IP's "map" to an internal server, you have to use NAT and Port Forwarding, which is not difficult, but those IPs get added to the WAN interface, as detailed here Methods of Using Additional Public IP Addresses, which in your scenario is done by adding Virtual IP's (VIPs) to your WAN interface.

If you don't want to use NAT and have a server respond to a public IP address, then that server must be on the outside of the firewall and the IP directly assigned there.

That's just how networking works, which leads me to say no, it can't be done in the manner you are describing. The WAN is the only interface to have public IP's in most circumstances, including yours. Cases where this won't be true is if you have Multi-WAN, i.e. two ISPs feeding the same firewall.

Now, there is a mention of Bridging, where you take one of the OPT interfaces and place them in Bridge mode, which is no different than having the machine directly attached to the modem. This is an outlier case and not often used because of the risk. you remove the firewall from the equation at that point, including all of it's security.

One thing to remember, with most firewalls, pfSense included, you can't assign public IPs to the OPT ports that are in the same subnet as the main WAN subnet, they each have to have a unique gateway. using DHCP you can get around this, but it's not recommended to have more than one interface in the same subnet as another. This again, is not unique to pfSense and is pretty bog standard in firewalls due to the way L3 routing works.

This is why I'm confused about what you are posting and wanting. It's just not possible for one part, and the desire to use all 5 IP's that you've been given is really not even needed unless you are hosting a lot of services internally that all use the same port ranges.

SteveITS

@ross-0 If your goal is really to use the public IPs directly you'll need another public IP from your ISP, as noted above, so they can route your subnet. See https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html. Note you aren't going to be able to use those on multiple interfaces unless you manage to split that /29 into smaller subnets but you'll lose IPs that way because the pfSense interfaces will need one.

1:1 NAT is also possible with pfSense, to forward all ports. But that is also using NAT.

stephenw10

Yes, you have a single subnet on WAN so you should be using VIPs and NATing them:
https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html#single-ip-subnet-on-wan

The only other option there is to bridge WAN with an internal interface and use the same subnet across both. That is far more complex to configure though.

Steve

Ross 0

@jlw52761 Hello Again, I'm still at it with some success. I'm ashamed to admit English is my first language...I didn't know how to NAT, not that I didn't want to.... but with your guidance and the help of others here that responded = much more success.

1. OPT1 = 192.168.10.1/30 with my laptop attached to it with static 192.168.10.2/30. ---- OPT1 rule = Source= OPT1net - Destination = any = joy. Pings internet; has internet, pings WAN address and gateway (modem).

2. Created Virtual IP (Proxy ARP) Interface= WAN; Address type = network; Address = 2nd public IP/32 (not sure about this "32".

3. Created 1:1 NAT Interface= OPT1; External subnet = single address of 2nd public IP; Internal IP = single host of 192.168.10.2 (laptop on OPT1); no destination IP.

Laptop can ping WAN gateway(modem), WAN Address, NOT VIP address Hmmmm...???, Pings Internet (8.8.8.8), pings OPT1 address (laptops gateway) ... so at this point I started to "snoopy dance" ....
BUT (there is always something!) I have NO internet access via browser on the laptop. I tried some rules on the WAN, and OPT1 = no joy. So I'm almost there.... :).... where am I going wrong?

All this because last year my WatchGuard XTM device hit EOL and now I'm having all kinds of internet problems. Once pfSense is here = no more internet problems... imagine that! (other than above!!! :) THANK YOU
---Ross

SteveITS

@ross-0 said in WAN is /29:

2nd public IP/32 (not sure about this "32"

That should also be a /29 so it can connect to the WAN gateway.

stephenw10

The VIP subnet could be /29 or /32 but it should be IPAlias really. If you make a /29 ProxyARP VIP it will respond to all IPs in that subnet including some that it shouldn't. Also ProxyARP will not respond to ping, as you found.

The 1:1 NAT rule should be on the WAN. That's where the translation should take place.

Did you put pfSense on the XTM? Assuming it's an x86 model.

Steve

Ross 0

Redundancy here from previous posts... just wanting to be specific and correct.
OPT1- Enabled; Static IPv4; Address=192.168.10.1/30; no gateway; no reserved networks.
Laptop attached to OPT1 = 192.168.10.2/30

RULES- interface = OPT1; IPv4; Protocol=any; Source OPT1net; destination any

VIP- IP Alias; interface= WAN; single address= 3rd public address
(1st = modem gateway; 2nd assigned to WAN.. all /29)

NAT- 1:1 Interface= WAN; IPv4; External subnet IP= Single host address= 3rd public address (same as VIP address); Internal IP Single host= 192.168.10.2 (OPT1 host);Destination= Any

LAN works great

OPT1 host (laptop) can ping everything including WAN, VIP, any Internet IP address (8.8.8.8 and others)
Try to ping "google.com" I get
"Ping request could not find host msn.com. Please check the name and try again"
Laptop ipconfig shows Media State= Media disconnected.
Laptop is good, disconnect from OPT1, hook to LAN (dhcp) all = joy.

System- General setup- DNS Settings = 8.8.8.8 (google) and 208.67.222.222 (openDNS)...

So the OPT1 host can ping the world, but I don't have internet browsing capabilities "Hmmmmm...can't reach this page" or any page I try. If I put the IP for MSN.COM in the browser.. it thinks about it but gives me the same response...NO JOY!
I tried miscellaneous rules on the WAN and OPT1 in different directions = no joy.. all were deleted other than the one mentioned above.

hmmmm... ping but no internet, I really getting old!

I'm sorry to be a pain here, so this will probably be my last request so I don't take up any more of your time....I guess my almost 70 year old brain is still back in the 8088 breadboarding days and 80286 ROM BASICA (no os) where I specifically remember telling myself.. "WOW a 20 MB MFM harddrive... I'll NEVER fill this up!" :)

Maybe I'll save up a little and hire one of you for a phone consult....but I'm really hoping I can do it my self!

At least the default LAN works, I have to do taxes!!

Oh yea, Stephenw10, pfSense wasn't installed on the XTM, I'm using it as a wifi access point only, that I was hoping to attach to this OPT1.

Happy Day All....

---Ross

SteveITS

@ross-0 said in WAN is /29:

So the OPT1 host can ping the world,

You wrote above it couldn't resolve names...are you saying it can ping out using an IP but DNS isn't working? Because you wrote using a browser with an IP gave a connection error.

try commands:
nslookup google.com
nslookup google.com 8.8.8.8

If it's a DNS issue, check if DNS Resolver has "Network Interfaces" set to the default All or at least has OPT1 selected also.

stephenw10

Mmm, sounds like maybe the laptop is configured statically and simply doesn't have a DNS server set?

Ross 0

JOY!!! --- and duh on my part...The simplest things!!!

"Mmm, sounds like maybe the laptop is configured statically and simply doesn't have a DNS server set?"

.... That was it... again... a DUH..... I'm taking up gardening!

THANK YOU ALL for your help.... you can close this thread now.