Server with public ip inside LAN

Snoopy · Feb 18, 2010, 12:28 PM

Hi. I've been reading these forums and other resources for days, but still can't figure it out. I have current setup like this:

x.x.168.5 (mailserver with public ip) - switch - 192.168.0.254 (ISP router) x.x.168.6 (router's public ip)

Mail server physically is in my lan, and I suppose ISP router has the same x.x.168.6 address assigned to it's internal interface, because server has x.x.168.6 as a default gateway. So far everything works fine.

Now I want to put my own router with latest pfsense between switch and ISP router, not touching server's config, keep my current public ip, leave mail server pingable. Visually, I want something similar to this setup: http://www.shorewall.net/ProxyARP.htm

ISP's tech support suggestion was (literally):

We'll change our router's current ip to another, and route x.x.168.4/30 to your router. You'll put x.x.168.6/30 and 192.168.0.254/24 on your LAN interface, and create NAT through x.x.168.6.

However, I cannot correlate this suggestion with what I have in pfsense (VIP and different NAT). Could someone guide me the right way?

Snoopy · Feb 18, 2010, 12:34 PM

Oh, I forgot my pfsense box config: it has only WAN and LAN. I have a spare port, but i'd like to keep it for future. I guess easiest way would be to connect mail server using OPT and bridge WAN+OPT?

Eugene · Feb 20, 2010, 3:35 AM

Does your server have two interfaces?

Snoopy · Feb 20, 2010, 6:04 AM

@Eugene:

Does your server have two interfaces?

Nope, only one.

kpa · Feb 20, 2010, 6:29 AM

If you can use the third port then bridging OPT to WAN is probably the easiest solution.

Snoopy · Feb 20, 2010, 8:02 AM

I've just found this in FAQ:


Can I have public and private IPs on my LAN interface?

No. You can use public IP's via NAT port forwards or 1:1 NAT, or use an entire interface with routed public IP's only, or use a bridged interface with systems with public IP's.

You cannot mix two IP subnets on the same interface.

So I guess you can make any combination with VIP, NAT etc etc, but you still have to use private IP addresses inside LAN.

Snoopy · Feb 22, 2010, 1:40 PM

@kpa:

If you can use the third port then bridging OPT to WAN is probably the easiest solution.

Just tested this config, and it worked like a charm.

mlimo · Mar 8, 2010, 2:30 PM

Can you explain how you did this a bit further?

I have a similar situation at present where a system in my LAN has a public IP.
I have also just moved from Shorewall to pfSense after my router machine died.

I have been able to re-implement all of my previous network environment that I had running under shorewall, except for access to the live IP machine.

Snoopy · Mar 8, 2010, 2:51 PM

I don't access to my system at the moment to check exact config, but it was pretty straightforward: go to Interfaces > (assign), add a new interface, then in it's options choose "Bridge with" and select your wan interface. Don't forget to add rule to allow traffic between WAN and OPT.

mlimo · Mar 8, 2010, 9:57 PM

I dont get an option to add another interface.

I should mention that I am using the VM appliance too.

Snoopy · Mar 9, 2010, 5:47 AM

I'm not sure, but maybe you have to add additional virtual "interface" in your VM, because now there are no "free" interfaces for pfsense.

mlimo · Mar 9, 2010, 10:32 AM

I have added an additional interface, and it is now an optional interface the pfsense config.
I have bridged it with the WAN interface.

I am not sure where to go to from here, I am now waiting on a copy of the pfSense book to arrive too. :)

thermionic · Mar 21, 2010, 7:39 PM

@Snoopy:

Hi. I've been reading these forums and other resources for days, but still can't figure it out. I have current setup like this:

x.x.168.5 (mailserver with public ip) - switch - 192.168.0.254 (ISP router) x.x.168.6 (router's public ip)

so you have the router connected via a L2 switch (with a management interface on a different subnet) direct to your mailserver which has a public IP address.

Rather than bridge to an OPT interface, why not just NAT to the mail server ?

Snoopy · Mar 22, 2010, 6:12 AM

@thermionic:

@Snoopy:

Hi. I've been reading these forums and other resources for days, but still can't figure it out. I have current setup like this:

x.x.168.5 (mailserver with public ip) - switch - 192.168.0.254 (ISP router) x.x.168.6 (router's public ip)

so you have the router connected via a L2 switch (with a management interface on a different subnet) direct to your mailserver which has a public IP address.

Rather than bridge to an OPT interface, why not just NAT to the mail server ?

Could you elaborate on that? First of all, how mailserver is going to access internet, having x.x.168.6 as a gateway?

Snoopy · Apr 8, 2010, 8:07 AM

@Snoopy:

@kpa:

If you can use the third port then bridging OPT to WAN is probably the easiest solution.

Just tested this config, and it worked like a charm.

It seems that it's not so easy after all :-[

Yesterday I tried to put the system online, and it failed. IMHO freebsd is very different in using multiple ip's on the same interface, compared to linux. I've spent hours on the phone with ISP admins, but they were all *nix people.

It appears that the config I described in first post is not absolutely correct. The old router (linux based) has x.x.5.217 on WAN side (totally different subnet than x.x.168.6), x.x.168.6 is like a secondary IP for it, and router is NATting everything from LAN through it. ISP routes both x.x.168.6 and x.x.168.5 to this router too. In other words, I never see or use x.x.5.217, I work only with x.x.168.6.

So when I put my system online, I was told to apply x.x.5.217 to my WAN. The results:

internet for LAN users working fine
x.x.168.5 mailserver on bridged OPT1 has internet, it is accessible from outside world, but I couldn't reach it from LAN. Tracert shows that pfsense is forwarding my requests to ISP gateway, shouldn't it go straight to OPT1? But I couldn't see mailserver's MAC in arp table. How to tell pfsense that this address is right here, not on the outside?
I couldn't make additional x.x.168.6 IP work for inbound port forwards. I've tried both types of VIP, added rules with this specific source IP - nothing worked.
I haven't even try to make LAN users go outside through VIP, not through real WAN address…

Is there any way that I can replicate current linux router's setup in pfsense? Maybe "ifconfig alias" could help me?

Eugene · Apr 8, 2010, 1:43 PM

Let me give you one advice. Make your life simpler: set up your mail server behind pfSense and that is it.
Mail server[local IP]–----[local IP]pfSense[public IP]–--Provider
Don't waste your time creating messy and hard to troubleshoot set up.

Snoopy · Apr 13, 2010, 8:25 AM

@Eugene:

Let me give you one advice. Make your life simpler: set up your mail server behind pfSense and that is it.
Mail server[local IP]–----[local IP]pfSense[public IP]–--Provider
Don't waste your time creating messy and hard to troubleshoot set up.

You're right. I kindly asked ISP for more IP addresses, now I'll have /29. Let's say I put the mailserver on separate DMZ, then:

1. configure WAN as x.x.x.6/29, gateway x.x.x.1
2. add CARP address x.x.x.5/29
3. add NAT 1:1 from x.x.x.5/29 to internal server IP on DMZ

Right?