Do I need my provider my do ROUTING for me or should I ask to do it myself?
-
Thanks for the great guides guys. So, the /27 IPs are route to our /29 main IP address. I am working this right now. So, I am going to pick up Proxy ARP for virtual IPs and start testing….
The router has only 3 NICs (Alix3D13) and the only thing that I can't vision right now is that if the Virtual IPs don't look like WAN interfaces after the setup then it would be really confusing for me to do firewall on them. And of course I want each Virtual IP coming in to have the ability to go on full DMZ or use all the 65k+ ports simultaneously with other Virtual IPs doing the same thing.
I would appreciate any link guides to VIPs. The wiki doesn't have any except for CARP which is not my need??!!
***A- Where exactly can I see the VIPs status? like the interface status? to make sure IP is picked up.
***B- VIPs give me the option to either pick the whole network /27 or single IP for all the 30 or so IPs. Which one should I pick? I want to assign each IP to each virtual machine that I would be running later on.Thanks again
-
I read this last post and was just kind of wondering if you completely ignored my post above. Cry Havok was talking about a different type of setup than what you have with your ISP. Please read my post if you haven't already.
-
Thanks Effone,
I did read your post but I guess I am already confused :-) I am willing to dash out some $$ for this now and get some solid ideas as well. Unfortunately the support subscription is not within the budget.
Reading over your answers it's more clear to me now. But I have the following comments:
Is there any way that I can get an Interface tab (like WAN, LAN, OPT2, vIP1, vIP2, etc…) for each of the IPs in the /27 subnet? It would be very clear to me and then I can use firewall on them or use NAT.
Based on your guide, the /27 IPs were to be directly assigned to the endpoints (systems) and they were to statically pick those IPs. Wouldn't that take the ability away from me to firewall them?
***More importantly each endpoint (server) has three NIC interfaces where 1 is only used for IPMI-KVM and the other two for internet connections. I want to keep them separate. I still want the IPMI dedicated port to have a local IP and not a Static Public IP. Also I have only 1 switch. Can all this be possible with one switch or do I have to get more switches?
Also, in LAN do I chose bridge with WAN and then enter the first /27 subnet public IP? or do I keep it as none.
Thanks
-
You can still firewall the IP addresses inbound on WAN and what is received on LAN that is to go outbound on WAN regardless of how they are assigned. Actually, the firewalling will probably be easier if you don't bridge WAN and LAN. As for if you want to firewall the systems from each other, to do that you will need a managed switch.
-
Thanks for that. I just put the /27 IP in the LAN main port and I lost my VPN connection to the pfSense box. Weired. Anyhow, since I have to assign STATIC IPs to the endpoints now, what would be the Gateway?
1- I have only been provided 59.59.59.32/27 to be routed to one of our main IPs and that's all. For example on a CentOS server when I do static assignment of IP to eth0 it has a field for Gateway as well. Do I not need a gateway?
2- Also, can these /27 IPs be assigned to the endpoints through some sort of DHCP from the pfSense router rather assigning them statically on the endpoints?
Thanks again
-
Thanks for that. I just put the /27 IP in the LAN main port and I lost my VPN connection to the pfSense box. Weired. Anyhow, since I have to assign STATIC IPs to the endpoints now, what would be the Gateway?
1- I have only been provided 59.59.59.32/27 to be routed to one of our main IPs and that's all. For example on a CentOS server when I do static assignment of IP to eth0 it has a field for Gateway as well. Do I not need a gateway?
2- Also, can these /27 IPs be assigned to the endpoints through some sort of DHCP from the pfSense router rather assigning them statically on the endpoints?
Thanks again
The server(s) would use the pfsense 'LAN' ip as the gateway whether you did a 1:1 NAT configuration (cry havok) or policy based routing configuration (effone).
In this instance, you have opt to use effone's suggestion.
i.e.
pfsense 'WAN'
IP: Routed Main IP
Subnet mask: 29 (CIDR)
Gateway: Provided by your ISP within the 39.39.39.152/29 subnet (usually the first usable IP. i.e. 39.39.39.153)pfsense 'LAN'
IP: I recommend using the first usable on the 59.59.59.32/27 subnet (i.e. 59.59.59.33)
Subnet mask: 27 (CIDR)If you want to dynamically assign IPs to your server, you will then set the DHCP server service on pfsense to roll out: 59.59.59.34 - 59.59.59.62 as the address pool. I highly recommend setting static IPs on the servers instead. Doesn't quite make sense to have servers randomly switching IPs.
Servers hook up to the 'LAN' side of the pfsense box via the switch. If they pick-up the IP via DHCP, then you're good to go from there (provided you've set the DNS server(s) IPs in pfsense so that the DNS forwarder actually works to resolve hostnames). If not, use 59.59.59.33 as the gateway and DNS server would be what the ISP provides or your own internal DNS server IP.
Grab a basic dumb switch for your IPMI connections. Such 'physical' access to your servers should be isolated from the internet anyway (or at least administrated by a protected endpoint).
-
Thanks for the great details. I did try this setup yesterday and it picked up IP but never got internet because I neglected to calculate the IP subnet right. I was starting with 59.59.59.32/27 in the LAN interface and assigned 59.59.59.33 as the static IP with 59.59.59.32 as the gateway IP. So, I give up and changed back to original settings. I am going to go back and try this now.
1- I guess the only way I can do this properly is to get another switch for the IPMI as it should definitely be separate from the other network. However, if I use NIC-2 on the pfSense router for the IPMI my DHCP server still supplies the public IP range. Is there any way that I can provide an RFC1918 to the NIC-2 so that IPMI are setup using private IP range? Then I can do VPN into the box for access.
2- Each server has two NICs on it. For redundancy purpose, I am not sure if I should assign the second interface another Public IP or maybe a private IP from the same pool that supplies the IPMI dedicated ports for back-end access.
Hardware: Alix2d13 - 3 NIC ports - 1 used for WAN - 1 used for Public IPs with a switch - 1 to be used with private IPs for IPMI.
Thanks a lot guys
-
Yes, you can have the 3rd NIC as a 2nd Lan and have the DHCP server roll-out a separate private subnet there.
-
Thanks for the great details. I did try this setup yesterday and it picked up IP but never got internet because I neglected to calculate the IP subnet right. I was starting with 59.59.59.32/27 in the LAN interface and assigned 59.59.59.33 as the static IP with 59.59.59.32 as the gateway IP. So, I give up and changed back to original settings. I am going to go back and try this now.
1- I guess the only way I can do this properly is to get another switch for the IPMI as it should definitely be separate from the other network. However, if I use NIC-2 on the pfSense router for the IPMI my DHCP server still supplies the public IP range. Is there any way that I can provide an RFC1918 to the NIC-2 so that IPMI are setup using private IP range? Then I can do VPN into the box for access.
2- Each server has two NICs on it. For redundancy purpose, I am not sure if I should assign the second interface another Public IP or maybe a private IP from the same pool that supplies the IPMI dedicated ports for back-end access.
Hardware: Alix2d13 - 3 NIC ports - 1 used for WAN - 1 used for Public IPs with a switch - 1 to be used with private IPs for IPMI.
Thanks a lot guys
Toronto, you were off by one. If you have a /27, that is 32 addresses, the first and last are not usable (network address and broadcast address). So if they gave you x.y.z.32/27, you would want to make pfsense x.y.z.33 and give out from 34 up for LAN hosts.
-
Thanks, yes, you are right. I will try that tonight and post back.
Would it be possible to provide LAN-1 as discussed with the /27 public IP address and LAN-2 (interface vr2 on Alix board) with DHCP from private IP pool (RFC1918)? I will look into buying a managed switch which can do vLAN so certain ports will be used for the /27 public IP and certain ports to be used for private local IPs on the switch. Do you think that is possible?
Budget switch Linksys SLM2024 (anything better you have in mind for the switch?) info:
Manageable: Yes
Management:
DHCP
IEEE 802.1p QoS
IEEE 802.1Q Tag-Based VLAN
Built-in Web UI for easy browser-based configuration (HTTP)Thanks