WAN is /29

SteveITS

@ross-0 No bridging…once the virtual IPs are set up on WAN use hybrid/manual outbound NAT rules to control outgoing connections. Normal NAT for any inbound (destination vip, not WAN IP).

Jarhead

@ross-0 Did you add firewall rules to the OPT interfaces?
LAN is the only interface with a default ANY rule.

jlw52761

@ross-0 It doesn't make sense because in order to "assign" the public IPs to those networks, you have to use NAT, which you've stated you don't want to do. The only other way to do that is have things on the public side of the firewall, like when you plugged your computer directly into the cable modem.

Additionally, pfSense will treat the LAN, and OPT interfaces as internal LAN interfaces and want to route traffic out through the WAN interface, which by default has Automatic Outbound NAT configured. You can configure the other interfaces to act as a WAN interface and perform direct routing and outbound NAT, but there's no advantage to that in your scenario. You only need the single IP on the WAN interface, the other interfaces will be internal and route traffic out through the WAN. If you want to have the other external IP's "map" to an internal server, you have to use NAT and Port Forwarding, which is not difficult, but those IPs get added to the WAN interface, as detailed here Methods of Using Additional Public IP Addresses, which in your scenario is done by adding Virtual IP's (VIPs) to your WAN interface.

If you don't want to use NAT and have a server respond to a public IP address, then that server must be on the outside of the firewall and the IP directly assigned there.

That's just how networking works, which leads me to say no, it can't be done in the manner you are describing. The WAN is the only interface to have public IP's in most circumstances, including yours. Cases where this won't be true is if you have Multi-WAN, i.e. two ISPs feeding the same firewall.

Now, there is a mention of Bridging, where you take one of the OPT interfaces and place them in Bridge mode, which is no different than having the machine directly attached to the modem. This is an outlier case and not often used because of the risk. you remove the firewall from the equation at that point, including all of it's security.

One thing to remember, with most firewalls, pfSense included, you can't assign public IPs to the OPT ports that are in the same subnet as the main WAN subnet, they each have to have a unique gateway. using DHCP you can get around this, but it's not recommended to have more than one interface in the same subnet as another. This again, is not unique to pfSense and is pretty bog standard in firewalls due to the way L3 routing works.

This is why I'm confused about what you are posting and wanting. It's just not possible for one part, and the desire to use all 5 IP's that you've been given is really not even needed unless you are hosting a lot of services internally that all use the same port ranges.

SteveITS

@ross-0 If your goal is really to use the public IPs directly you'll need another public IP from your ISP, as noted above, so they can route your subnet. See https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html. Note you aren't going to be able to use those on multiple interfaces unless you manage to split that /29 into smaller subnets but you'll lose IPs that way because the pfSense interfaces will need one.

1:1 NAT is also possible with pfSense, to forward all ports. But that is also using NAT.

stephenw10

Yes, you have a single subnet on WAN so you should be using VIPs and NATing them:
https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html#single-ip-subnet-on-wan

The only other option there is to bridge WAN with an internal interface and use the same subnet across both. That is far more complex to configure though.

Steve

Ross 0

@jlw52761 Hello Again, I'm still at it with some success. I'm ashamed to admit English is my first language...I didn't know how to NAT, not that I didn't want to.... but with your guidance and the help of others here that responded = much more success.

1. OPT1 = 192.168.10.1/30 with my laptop attached to it with static 192.168.10.2/30. ---- OPT1 rule = Source= OPT1net - Destination = any = joy. Pings internet; has internet, pings WAN address and gateway (modem).

2. Created Virtual IP (Proxy ARP) Interface= WAN; Address type = network; Address = 2nd public IP/32 (not sure about this "32".

3. Created 1:1 NAT Interface= OPT1; External subnet = single address of 2nd public IP; Internal IP = single host of 192.168.10.2 (laptop on OPT1); no destination IP.

Laptop can ping WAN gateway(modem), WAN Address, NOT VIP address Hmmmm...???, Pings Internet (8.8.8.8), pings OPT1 address (laptops gateway) ... so at this point I started to "snoopy dance" ....
BUT (there is always something!) I have NO internet access via browser on the laptop. I tried some rules on the WAN, and OPT1 = no joy. So I'm almost there.... :).... where am I going wrong?

All this because last year my WatchGuard XTM device hit EOL and now I'm having all kinds of internet problems. Once pfSense is here = no more internet problems... imagine that! (other than above!!! :) THANK YOU
---Ross

SteveITS

@ross-0 said in WAN is /29:

2nd public IP/32 (not sure about this "32"

That should also be a /29 so it can connect to the WAN gateway.

stephenw10

The VIP subnet could be /29 or /32 but it should be IPAlias really. If you make a /29 ProxyARP VIP it will respond to all IPs in that subnet including some that it shouldn't. Also ProxyARP will not respond to ping, as you found.

The 1:1 NAT rule should be on the WAN. That's where the translation should take place.

Did you put pfSense on the XTM? Assuming it's an x86 model.

Steve

Ross 0

Redundancy here from previous posts... just wanting to be specific and correct.
OPT1- Enabled; Static IPv4; Address=192.168.10.1/30; no gateway; no reserved networks.
Laptop attached to OPT1 = 192.168.10.2/30

RULES- interface = OPT1; IPv4; Protocol=any; Source OPT1net; destination any

VIP- IP Alias; interface= WAN; single address= 3rd public address
(1st = modem gateway; 2nd assigned to WAN.. all /29)

NAT- 1:1 Interface= WAN; IPv4; External subnet IP= Single host address= 3rd public address (same as VIP address); Internal IP Single host= 192.168.10.2 (OPT1 host);Destination= Any

LAN works great

OPT1 host (laptop) can ping everything including WAN, VIP, any Internet IP address (8.8.8.8 and others)
Try to ping "google.com" I get
"Ping request could not find host msn.com. Please check the name and try again"
Laptop ipconfig shows Media State= Media disconnected.
Laptop is good, disconnect from OPT1, hook to LAN (dhcp) all = joy.

System- General setup- DNS Settings = 8.8.8.8 (google) and 208.67.222.222 (openDNS)...

So the OPT1 host can ping the world, but I don't have internet browsing capabilities "Hmmmmm...can't reach this page" or any page I try. If I put the IP for MSN.COM in the browser.. it thinks about it but gives me the same response...NO JOY!
I tried miscellaneous rules on the WAN and OPT1 in different directions = no joy.. all were deleted other than the one mentioned above.

hmmmm... ping but no internet, I really getting old!

I'm sorry to be a pain here, so this will probably be my last request so I don't take up any more of your time....I guess my almost 70 year old brain is still back in the 8088 breadboarding days and 80286 ROM BASICA (no os) where I specifically remember telling myself.. "WOW a 20 MB MFM harddrive... I'll NEVER fill this up!" :)

Maybe I'll save up a little and hire one of you for a phone consult....but I'm really hoping I can do it my self!

At least the default LAN works, I have to do taxes!!

Oh yea, Stephenw10, pfSense wasn't installed on the XTM, I'm using it as a wifi access point only, that I was hoping to attach to this OPT1.

Happy Day All....

---Ross

SteveITS

@ross-0 said in WAN is /29:

So the OPT1 host can ping the world,

You wrote above it couldn't resolve names...are you saying it can ping out using an IP but DNS isn't working? Because you wrote using a browser with an IP gave a connection error.

try commands:
nslookup google.com
nslookup google.com 8.8.8.8

If it's a DNS issue, check if DNS Resolver has "Network Interfaces" set to the default All or at least has OPT1 selected also.

stephenw10

Mmm, sounds like maybe the laptop is configured statically and simply doesn't have a DNS server set?

Ross 0

JOY!!! --- and duh on my part...The simplest things!!!

"Mmm, sounds like maybe the laptop is configured statically and simply doesn't have a DNS server set?"

.... That was it... again... a DUH..... I'm taking up gardening!

THANK YOU ALL for your help.... you can close this thread now.