Do I need my provider my do ROUTING for me or should I ask to do it myself?
-
Hi Everyone,
We are looking to co-locate with a provider who will give us a /27 block. They are asking if they should do the routing or if we are doing the routing.
We want to use Virtual IPs on pfSense to send them to a Proxmox sever (creates multiple virtual private server).
In this case who is better to be in charge of routing or do we MUST do the routing ourselves to be able to assign individual IPs to all our VPS.
Thanks
-
If you want to control what gets what IP then you must do it yourself.
-
Thanks for the input. This is the e-mail I got from my provider (Note: First three octals of IP address is fictional):
Network: 39.39.39.152/29 Gateway: 39.39.39.153 Mask: 255.255.255.248 Usable: 39.39.39.156 to 39.39.39.158 Network: 59.59.59.32/27 statically routed to 39.39.39.156How do I go about creating virtual interfaces for each of the above 59.59.59.32/27 IPs? Keeping in mind that I have only one router I want to have full functionality as if I had 30 ports for the above /27 block of IP.
Thanks for the guidance.
-
If you want to use the entire address range you'll need to do one of 2 things:
a) Set your pfSense host up as a transparent firewall
b) Make use of VIPs and configure your servers with an RFC1918 address, forwarding ports and NATing as required.There is a forum for VIPs and documentation about transparent firewalls.
-
This is simple routing, no bridging or virtual IPs required. From your example, set your WAN to 39.39.39.156/29 with gateway of 39.39.39.153. Assign one of the addresses from your 59.59.59.32/27 subnet to LAN (assuming it is the only network you are configuring behind the router), most likely the first or last usable address would be best, and the subnet should be /27. This will act as your local gateway for the LAN. In Firewall: NAT: Outbound, change to manual outbound NAT and make sure you don't have any rules to do NAT on the addresses in that subnet.
That's all there is to it. From here, you can assign the addresses on LAN however you want: DHCP for dynamic and/or static mappings or just manually configuring static IPs and the subnet mask on the systems along with the router's LAN address as the default gateway. Basically it is no different than any other normal configuration with a static IP and gateway configuration on WAN. The only difference is that your LAN has IP addresses in a public range instead of a private range, and you won't need NAT for those addresses as a result of that.
If you want to use your addresses that are on the WAN subnet, you can use them for NAT on WAN. You can make virtual IP entries on WAN for 39.39.39.157-158 if those are yours and use them for NAT, in addition to the directly assigned WAN address. These 3 addresses could be used for port forwards, outbound NAT, or 1:1 NAT for computers on a different local subnet (most likely on a different local interface on the router). The rules for this would all go on WAN. You should also be able to have WAN port forwards that use the LAN address, but outbound NAT and 1:1 NAT are unlikely to work with that address, since it is an address on LAN and not WAN.
What Cry Havok mentioned is basically applicable for ways of using the addresses on your WAN subnet with another local network attached to a different network interface on the system.
-
Thanks for the great guides guys. So, the /27 IPs are route to our /29 main IP address. I am working this right now. So, I am going to pick up Proxy ARP for virtual IPs and start testing….
The router has only 3 NICs (Alix3D13) and the only thing that I can't vision right now is that if the Virtual IPs don't look like WAN interfaces after the setup then it would be really confusing for me to do firewall on them. And of course I want each Virtual IP coming in to have the ability to go on full DMZ or use all the 65k+ ports simultaneously with other Virtual IPs doing the same thing.
I would appreciate any link guides to VIPs. The wiki doesn't have any except for CARP which is not my need??!!
***A- Where exactly can I see the VIPs status? like the interface status? to make sure IP is picked up.
***B- VIPs give me the option to either pick the whole network /27 or single IP for all the 30 or so IPs. Which one should I pick? I want to assign each IP to each virtual machine that I would be running later on.Thanks again
-
I read this last post and was just kind of wondering if you completely ignored my post above. Cry Havok was talking about a different type of setup than what you have with your ISP. Please read my post if you haven't already.
-
Thanks Effone,
I did read your post but I guess I am already confused :-) I am willing to dash out some $$ for this now and get some solid ideas as well. Unfortunately the support subscription is not within the budget.
Reading over your answers it's more clear to me now. But I have the following comments:
Is there any way that I can get an Interface tab (like WAN, LAN, OPT2, vIP1, vIP2, etc…) for each of the IPs in the /27 subnet? It would be very clear to me and then I can use firewall on them or use NAT.
Based on your guide, the /27 IPs were to be directly assigned to the endpoints (systems) and they were to statically pick those IPs. Wouldn't that take the ability away from me to firewall them?
***More importantly each endpoint (server) has three NIC interfaces where 1 is only used for IPMI-KVM and the other two for internet connections. I want to keep them separate. I still want the IPMI dedicated port to have a local IP and not a Static Public IP. Also I have only 1 switch. Can all this be possible with one switch or do I have to get more switches?
Also, in LAN do I chose bridge with WAN and then enter the first /27 subnet public IP? or do I keep it as none.
Thanks
-
You can still firewall the IP addresses inbound on WAN and what is received on LAN that is to go outbound on WAN regardless of how they are assigned. Actually, the firewalling will probably be easier if you don't bridge WAN and LAN. As for if you want to firewall the systems from each other, to do that you will need a managed switch.
-
Thanks for that. I just put the /27 IP in the LAN main port and I lost my VPN connection to the pfSense box. Weired. Anyhow, since I have to assign STATIC IPs to the endpoints now, what would be the Gateway?
1- I have only been provided 59.59.59.32/27 to be routed to one of our main IPs and that's all. For example on a CentOS server when I do static assignment of IP to eth0 it has a field for Gateway as well. Do I not need a gateway?
2- Also, can these /27 IPs be assigned to the endpoints through some sort of DHCP from the pfSense router rather assigning them statically on the endpoints?
Thanks again
-
Thanks for that. I just put the /27 IP in the LAN main port and I lost my VPN connection to the pfSense box. Weired. Anyhow, since I have to assign STATIC IPs to the endpoints now, what would be the Gateway?
1- I have only been provided 59.59.59.32/27 to be routed to one of our main IPs and that's all. For example on a CentOS server when I do static assignment of IP to eth0 it has a field for Gateway as well. Do I not need a gateway?
2- Also, can these /27 IPs be assigned to the endpoints through some sort of DHCP from the pfSense router rather assigning them statically on the endpoints?
Thanks again
The server(s) would use the pfsense 'LAN' ip as the gateway whether you did a 1:1 NAT configuration (cry havok) or policy based routing configuration (effone).
In this instance, you have opt to use effone's suggestion.
i.e.
pfsense 'WAN'
IP: Routed Main IP
Subnet mask: 29 (CIDR)
Gateway: Provided by your ISP within the 39.39.39.152/29 subnet (usually the first usable IP. i.e. 39.39.39.153)pfsense 'LAN'
IP: I recommend using the first usable on the 59.59.59.32/27 subnet (i.e. 59.59.59.33)
Subnet mask: 27 (CIDR)If you want to dynamically assign IPs to your server, you will then set the DHCP server service on pfsense to roll out: 59.59.59.34 - 59.59.59.62 as the address pool. I highly recommend setting static IPs on the servers instead. Doesn't quite make sense to have servers randomly switching IPs.
Servers hook up to the 'LAN' side of the pfsense box via the switch. If they pick-up the IP via DHCP, then you're good to go from there (provided you've set the DNS server(s) IPs in pfsense so that the DNS forwarder actually works to resolve hostnames). If not, use 59.59.59.33 as the gateway and DNS server would be what the ISP provides or your own internal DNS server IP.
Grab a basic dumb switch for your IPMI connections. Such 'physical' access to your servers should be isolated from the internet anyway (or at least administrated by a protected endpoint).
-
Thanks for the great details. I did try this setup yesterday and it picked up IP but never got internet because I neglected to calculate the IP subnet right. I was starting with 59.59.59.32/27 in the LAN interface and assigned 59.59.59.33 as the static IP with 59.59.59.32 as the gateway IP. So, I give up and changed back to original settings. I am going to go back and try this now.
1- I guess the only way I can do this properly is to get another switch for the IPMI as it should definitely be separate from the other network. However, if I use NIC-2 on the pfSense router for the IPMI my DHCP server still supplies the public IP range. Is there any way that I can provide an RFC1918 to the NIC-2 so that IPMI are setup using private IP range? Then I can do VPN into the box for access.
2- Each server has two NICs on it. For redundancy purpose, I am not sure if I should assign the second interface another Public IP or maybe a private IP from the same pool that supplies the IPMI dedicated ports for back-end access.
Hardware: Alix2d13 - 3 NIC ports - 1 used for WAN - 1 used for Public IPs with a switch - 1 to be used with private IPs for IPMI.
Thanks a lot guys
-
Yes, you can have the 3rd NIC as a 2nd Lan and have the DHCP server roll-out a separate private subnet there.
-
Thanks for the great details. I did try this setup yesterday and it picked up IP but never got internet because I neglected to calculate the IP subnet right. I was starting with 59.59.59.32/27 in the LAN interface and assigned 59.59.59.33 as the static IP with 59.59.59.32 as the gateway IP. So, I give up and changed back to original settings. I am going to go back and try this now.
1- I guess the only way I can do this properly is to get another switch for the IPMI as it should definitely be separate from the other network. However, if I use NIC-2 on the pfSense router for the IPMI my DHCP server still supplies the public IP range. Is there any way that I can provide an RFC1918 to the NIC-2 so that IPMI are setup using private IP range? Then I can do VPN into the box for access.
2- Each server has two NICs on it. For redundancy purpose, I am not sure if I should assign the second interface another Public IP or maybe a private IP from the same pool that supplies the IPMI dedicated ports for back-end access.
Hardware: Alix2d13 - 3 NIC ports - 1 used for WAN - 1 used for Public IPs with a switch - 1 to be used with private IPs for IPMI.
Thanks a lot guys
Toronto, you were off by one. If you have a /27, that is 32 addresses, the first and last are not usable (network address and broadcast address). So if they gave you x.y.z.32/27, you would want to make pfsense x.y.z.33 and give out from 34 up for LAN hosts.
-
Thanks, yes, you are right. I will try that tonight and post back.
Would it be possible to provide LAN-1 as discussed with the /27 public IP address and LAN-2 (interface vr2 on Alix board) with DHCP from private IP pool (RFC1918)? I will look into buying a managed switch which can do vLAN so certain ports will be used for the /27 public IP and certain ports to be used for private local IPs on the switch. Do you think that is possible?
Budget switch Linksys SLM2024 (anything better you have in mind for the switch?) info:
Manageable: Yes
Management:
DHCP
IEEE 802.1p QoS
IEEE 802.1Q Tag-Based VLAN
Built-in Web UI for easy browser-based configuration (HTTP)Thanks
