Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple public static IPs… do I need VIPs? and how do I implement them?

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    6 Posts 2 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jakobud
      last edited by

      I have been running a thread for the past week in the NAT forum trying to figure out why my NAT setup wasn't working.  I always assumed it was something with my NAT setup at least, but now I'm starting to think its my VIP setup.  Here's the thread:

      http://forum.pfsense.org/index.php/topic,25449.15.html

      What we have are 5 static public IP addresses from Comcast.  Right now, during the testing phase, I'm only routing 1 of those IP addresses to the pfSense firewall.  The rest of the IP addresses traffic is routed to the existing firewall.  Ultimately, the old firewall will go away and all 5 addresses will be routed to the pfSense firewall.

      In the end, I need to be able to distinguish between the traffic in that block of 5 IP addresses.  For example, when someone access XXX.XXX.63.137, I need the traffic port forwarded to a particular internal server.  And then someone access XXX.XXX.63.140, I need that traffic forwarded to a different internal server. etc etc….

      So given that simple explanation, do I need Virtual IPs?  Because other people in the other thread where saying that they didn't think I needed them... I figured anyone monitoring this VIP forum might know better...  I just really need a straight answer at this point.  I've been trying to get this thing working for the past week and its just not happening.

      Also, can someone explain which VIP setup I need to use?  I've been trying to use Proxy ARP but now I'm not sure what I need......

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Are you really routing to the inside? Or did you just setup 1:1 on the Comcast modem?

        You probably need to do something like this:

        Comcast modem setup:
        x.x.63.137 1:1 setup to 10.1.10.137
        x.x.63.138 1:1 setup to 10.1.10.138
        x.x.63.139 1:1 setup to 10.1.10.139
        x.x.63.140 1:1 setup to 10.1.10.140
        (I just used the same last octet to make working with them easier conceptually, it could be anything you want)

        pfSense setup:
        Proxy ARP VIP for 10.1.10.137 and 1:1 to 192.168.10.2
        Proxy ARP VIP for 10.1.10.138 and 1:1 to 192.168.10.3
        Proxy ARP VIP for 10.1.10.139 and 1:1 to 192.168.10.4
        Proxy ARP VIP for 10.1.10.140 and 1:1 to 192.168.10.5
        (Or whatever internal IPs you want)

        Firewall rules would be set just like the one you have in that other thread.

        Once the public IP hits your comcast modem, it ceases to exist, no matter what you do with NAT. You need to translate it to an IP "internal" to the Comcast box. I don't think you can route those IPs internally the way you describe with their equipment. Ideally the pfSense box would have all public IPs assigned to it, but I understand in some areas Comcast won't let that happen on certain business lines.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          Jakobud
          last edited by

          Hmmmmm okay I think I have a better grasp on what is going on.  Let me reiterate what I think you are saying:

          Leave the WAN interface ip at 10.1.10.2

          Add the following Proxy ARP VIPs

          10.1.10.137
          10.1.10.138
          10.1.10.139
          10.1.10.140
          10.1.10.141

          And then on my cable modem, do 1-to-1 NATs like this:

          XXX.XXX.63.137 > 10.1.10.137
          XXX.XXX.63.138 > 10.1.10.138
          XXX.XXX.63.139 > 10.1.10.139
          XXX.XXX.63.140 > 10.1.10.140
          XXX.XXX.63.141 > 10.1.10.141

          1 Reply Last reply Reply Quote 0
          • J
            Jakobud
            last edited by

            Brilliant!  It worked!!  The thing that made the light turn on in my head was when you said Once the public IP hits your comcast modem, it ceases to exist, no matter what you do with NAT.  That made me realize that instead of doing this NAT on the modem:

            XXX.XXX.63.140 > 10.1.10.2 (the real IP address of the WAN)

            I needed to do this:

            XXX.XXX.63.140 > 10.1.10.140 (one of the virtual IPs)

            I don't know why it took a week of posting stuff just to get this through my head.  Makes complete sense now.  Thanks a million man!!

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Double NAT is enough to drive anyone batty :)

              Good to hear that did the trick.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • J
                Jakobud
                last edited by

                Ya unfortunately I have to double NAT for now since we are running two (3 actually…) firewalls in parallel all off one modem.  This is all part of an overall plan to get it down to just one.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.