Port Forwarding with Virtual IPs and multiple external static IPs
-
Okay I'll get those screenshots put together in a few.
Yes, for testing purposes I only have 2 machines setup to use pfSense as their gateway.
-
Okay here come the screenshots
My Interfaces
10.1.10.1 is the IP address of our Comcast Business Class Cable Modem.XXX.XXX.63.140 is one of our external static IP addresses that Comcast has assigned to us. On the cable modem, I have a simple 1-to-1 NAT setup to forward all XXX.XXX.63.140 traffic –> 10.1.10.2 (the IP address of the WAN interface on the pfSense machine)
This is the only Virtual IP I have setup in pfSense.
Here in this log, you can see the entries from me on my iPhone trying to SSH into XXX.XXX.63.140 port 22. You can also see the rule that is blocking it.
192.168.10.2 does have SSH enabled and the firewall isn't block it, etc etc. I can SSH into it from within the network no problem. I can even SSH to it from the pfSense box. So an SSH connection from pfSense -> 192.168.10.2 works. It's just pfSense that is blocking it.
Here's a basic network setup around the firewall
-
your comcast router will handout 10.1.10.x address if you connect a DHCP client to it but it can also handle static IPs at the same time.
However, for your setup you should really set your firewalls WAN to use your static public IPs and let the firewalls do your NATing.
Roy…
-
I don't see why you are using a 'virtual IP' at all in this configuration - I'd skip that, based on what I'm reading of your current requirements.
Based on what I'm seeing, trying to put that x.x.63.x public IP in Proxy ARP / Virtual IP is not going to work - as the "pfSense WAN" isn't actually in that range - depending of course on if your comcast cable modem / router / firewall / whatever thing 'does weird stuff.' Which it may.
Technically- (barring any 'weird stuff') if you want to experiment with "Multiple WAN IPs" - as your pfSense box's "WAN IP" space is 10.1.10.x, your WAN IPs would need to be in that range, and you'd need to make your comcast router NAT those IPs to that range.
Another option is to bridge your pfSense box into the WAN space - not sure if that's possible with your current comcast device - or its configuration.
-
Under your NAT port forward - set that for "Interface Address" and not the (probably broken) Virtual IP you created.
-
Okay I'm confused. You guys are saying that I don't need to use Virtual IPs?
Ultimately, my goal is to get rid of the old firewall. That way, all of our external static IPs (XXX.XXX.63.137-XXX.XXX.63.141) all pass through the pfSense box. Aren't virtual IPs going to be required for the pfSense box to distinguish between the traffic? We do NOT want traffic to all of those static IPs to be treated the same. We need the traffic to be routed/nat'ed to different internal servers depending on what IP is being accessed…...
So why are people telling me not to use Virtual IPs?
-
your comcast router will handout 10.1.10.x address if you connect a DHCP client to it but it can also handle static IPs at the same time.
However, for your setup you should really set your firewalls WAN to use your static public IPs and let the firewalls do your NATing.
Roy…
1. DHCP is disabled on the modem.
2. How do I set my firewall WAN to use multiple public static IPs without using Virtual IPs?
-
I don't see why you are using a 'virtual IP' at all in this configuration - I'd skip that, based on what I'm reading of your current requirements.
Again, I'm planning on removing the existing firewall and using only pfSense. Ultimately 5 static IPs are going to be directed to the pfSense box. Are Virtual IPs required for that kind of setup in order for pfSense to distinguish between the traffic so it can properly route/NAT traffic to the proper internal servers?
Based on what I'm seeing, trying to put that x.x.63.x public IP in Proxy ARP / Virtual IP is not going to work - as the "pfSense WAN" isn't actually in that range…
According to the wiki:
Proxy ARP
-Can not be used by the firewall itself but can be forwarded
-Generates Layer2 traffic for the VIP
-The VIP can be in a different subnet than the real interface's IP
-Will not respond to ICMP ping.Am I reading this wrong? Is there a different VIP type I should be using? Sorry I'm new to the VIP thing. Is the problem, that the Proxy ARP Can not be used by the firewall itself?
-
Got this solved, thanks to jimp.
My problem was that I was NATing on my modem like this:
XXX.XXX.63.140 > 10.1.10.2instead of
XXX.XXX.63.140 > my virtual IP -
Sorry - I misspoke - you may need virtual IPs, if you're doing the equivalent of "1:1 NAT" on your modemrouter - and have multiple virtual IPs in that same private address space on your pfSense box WAN.