Port Forwarding with Virtual IPs and multiple external static IPs
-
@kpa:
Is the modem forwarding the ports to pfSense's wan ip? Your setup could be lot easier if you could eliminate NAT on the modem and set it up in bridging mode and have public IP directly at pfSense's WAN interface.
We have multiple external static IPs. So NAT is necessary at the modem at this point. However I'm only trying to deal with one IP at this point in time while I test pfSense.
I simply have the modem setup to point the external IP mentioned above to goto my pfSense box. And I can confirm that this does work, as I opened up port 22 on the WAN interface. I was able to successfully SSH into the pfSense box from outside the network buy accessing that external IP address, port 22. So in summary, I'm quite sure that the modem is NOT part of the issue here…
Are there particular screenshots or something I could post to help you understand my pfSense settings?
-
Having multiple static IPs does not mean you must do NAT on your modem. In fact it makes it harder.
Usually the source address on such a rule would be 'any' or an IP range. The source address will not be your external IP or your modem, but whatever IP is used by the remote client.
-
I agree, however the reason I have a basic NAT setup on the modem is because we are running multiple firewalls at the moment.
See, I am testing pfSense with the ultimate goal or replacing our current firewall. Therefore, I have to have both of the firewalls hooked up to the modem at the same time, so that the company can continue to function, while I am testing the pfSense box. So NATing one of our static addresses at the modem to point to the pfSense box, and letting the rest of the addresses goto the current firewall is a necessity at this point.
What do I need to post in order for you guys to see the problem with my pfSense setup. I feel like this is the last big hurtle I need to get past before I can really move forward with the intent of using pfSense as a full time solution…. Help please.
-
Are the PCs you have behind pfSense actually using it as their gateway? That would be another reason things would not work properly.
Your description of the setup keeps getting messier. There are way too many things to go wrong there. Asymmetric routing, misconfigured nat/firewall rules, etc, etc. We'd need screencaps of the VIP config, NAT config, Firewall rules, firewall logs, etc. Not copy/paste or retyped, actual screencaps, and more info on how the LAN and clients are configured.
-
Okay I'll get those screenshots put together in a few.
Yes, for testing purposes I only have 2 machines setup to use pfSense as their gateway.
-
Okay here come the screenshots
My Interfaces
10.1.10.1 is the IP address of our Comcast Business Class Cable Modem.XXX.XXX.63.140 is one of our external static IP addresses that Comcast has assigned to us. On the cable modem, I have a simple 1-to-1 NAT setup to forward all XXX.XXX.63.140 traffic –> 10.1.10.2 (the IP address of the WAN interface on the pfSense machine)
This is the only Virtual IP I have setup in pfSense.
Here in this log, you can see the entries from me on my iPhone trying to SSH into XXX.XXX.63.140 port 22. You can also see the rule that is blocking it.
192.168.10.2 does have SSH enabled and the firewall isn't block it, etc etc. I can SSH into it from within the network no problem. I can even SSH to it from the pfSense box. So an SSH connection from pfSense -> 192.168.10.2 works. It's just pfSense that is blocking it.
Here's a basic network setup around the firewall
-
your comcast router will handout 10.1.10.x address if you connect a DHCP client to it but it can also handle static IPs at the same time.
However, for your setup you should really set your firewalls WAN to use your static public IPs and let the firewalls do your NATing.
Roy…
-
I don't see why you are using a 'virtual IP' at all in this configuration - I'd skip that, based on what I'm reading of your current requirements.
Based on what I'm seeing, trying to put that x.x.63.x public IP in Proxy ARP / Virtual IP is not going to work - as the "pfSense WAN" isn't actually in that range - depending of course on if your comcast cable modem / router / firewall / whatever thing 'does weird stuff.' Which it may.
Technically- (barring any 'weird stuff') if you want to experiment with "Multiple WAN IPs" - as your pfSense box's "WAN IP" space is 10.1.10.x, your WAN IPs would need to be in that range, and you'd need to make your comcast router NAT those IPs to that range.
Another option is to bridge your pfSense box into the WAN space - not sure if that's possible with your current comcast device - or its configuration.
-
Under your NAT port forward - set that for "Interface Address" and not the (probably broken) Virtual IP you created.
-
Okay I'm confused. You guys are saying that I don't need to use Virtual IPs?
Ultimately, my goal is to get rid of the old firewall. That way, all of our external static IPs (XXX.XXX.63.137-XXX.XXX.63.141) all pass through the pfSense box. Aren't virtual IPs going to be required for the pfSense box to distinguish between the traffic? We do NOT want traffic to all of those static IPs to be treated the same. We need the traffic to be routed/nat'ed to different internal servers depending on what IP is being accessed…...
So why are people telling me not to use Virtual IPs?
-
your comcast router will handout 10.1.10.x address if you connect a DHCP client to it but it can also handle static IPs at the same time.
However, for your setup you should really set your firewalls WAN to use your static public IPs and let the firewalls do your NATing.
Roy…
1. DHCP is disabled on the modem.
2. How do I set my firewall WAN to use multiple public static IPs without using Virtual IPs?
-
I don't see why you are using a 'virtual IP' at all in this configuration - I'd skip that, based on what I'm reading of your current requirements.
Again, I'm planning on removing the existing firewall and using only pfSense. Ultimately 5 static IPs are going to be directed to the pfSense box. Are Virtual IPs required for that kind of setup in order for pfSense to distinguish between the traffic so it can properly route/NAT traffic to the proper internal servers?
Based on what I'm seeing, trying to put that x.x.63.x public IP in Proxy ARP / Virtual IP is not going to work - as the "pfSense WAN" isn't actually in that range…
According to the wiki:
Proxy ARP
-Can not be used by the firewall itself but can be forwarded
-Generates Layer2 traffic for the VIP
-The VIP can be in a different subnet than the real interface's IP
-Will not respond to ICMP ping.Am I reading this wrong? Is there a different VIP type I should be using? Sorry I'm new to the VIP thing. Is the problem, that the Proxy ARP Can not be used by the firewall itself?
-
Got this solved, thanks to jimp.
My problem was that I was NATing on my modem like this:
XXX.XXX.63.140 > 10.1.10.2instead of
XXX.XXX.63.140 > my virtual IP -
Sorry - I misspoke - you may need virtual IPs, if you're doing the equivalent of "1:1 NAT" on your modemrouter - and have multiple virtual IPs in that same private address space on your pfSense box WAN.
