5-static IPs Looking for basic setup help
-
do you need to have access from wan to lan, do you have servers or something like that?
if you only need to have from lan(lan,opt1-opt4) to wan then simple manual outbound nat's is enough with carp vips.- Create vips, carp is the one you can use
- Check that lan and every opt port has its own subnet
- Create manual outbound nat rules for every subnet(lan, opt1-opt4) to vip's and that one should use hardware ip address.
3.1) Check that automatically created rule is below any other rule.
And we're using our own freetime when we have it.. so we may not answer right away.
-
do you need to have access from wan to lan, do you have servers or something like that?
if you only need to have from lan(lan,opt1-opt4) to wan then simple manual outbound nat's is enough with carp vips.- Create vips, carp is the one you can use
- Check that lan and every opt port has its own subnet
- Create manual outbound nat rules for every subnet(lan, opt1-opt4) to vip's and that one should use hardware ip address.
3.1) Check that automatically created rule is below any other rule.
And we're using our own freetime when we have it.. so we may not answer right away.
I didn't mean to sound ungrateful - just thought I'd rephrase so that it was easier to answer.
No, I don't have servers - I have 5 seperate businesses or small offices that I need to essentially push the external static IPs through the PF Sense box to an individual interface that has a unique internal and external IP and a unique DHCP table.
The office is shared/incubator space so there is a need to open up cross-network resources such as common printers or building/office property management intranet page, etc.
Do I assign the VIP to the interface or to the WAN address?
Thanks,
EDIT: Also - do I assign the Interfaces unique IP ranges such as 10.xx.1.1, 10.xx.2.1, 10.xx.3.1, etc. or do the Optional Interfaces need to have LAN IPs?
Thanks again,
-
Sorry for my previous message, it was bit late time to write that one.
use own subnets / interface, it's easier to understand which network client is talking etc.
First thing you need to do is design network and after that you can create it ;)You can create own dhcp servers per interface and why not per vlan.
Yes assign that for wan interface, when you create that -
I think I'm fine with the network but having problems with the internet.
I can not assign VIPs to my other IP addresses. For starters, do I need ProxyARP, CARP or Other?
Second, I know how to enable/disable pings… I can assign my LAN to whichever IP address per my ISP's information and it works, I get in & out, can ping, etc.
I can not ping my VIPs so it seems as though I am assigning them incorrectly or not properly setting them up. I have a block of 5 consecutive IPs, I assume I assign the lowest number to the WAN and then use 4 VIPs for the rest?
I saw many vague examples of how to direct blocks of external IP addresses to static LAN addresses but have found very little on how to assign 5 external IPs to the one WAN interface and then have them branch out into 5 (LAN + OPT1 + OPT2 + OPT3 + OPT4) interfaces in a 1:1 NAT.
-
If you have all the external ip's in same subnet you can use carp type, like you have quoted me..
if you dont have those in same subnet you should use other type.Could you please read my previous messages, there i've explained how to get it done
-
I feel like a jacka$$ for wasting your time on the forum. Turns out that my ISP (FiOS) had an issue on their end… something to do with cross-connect going from their static to their DHCP servers and I was unable to access multiple IPs from one MAC address. I really don't understand because I don't think they do either.
All set - problem solved and things are as straight forward as any other ISP.
Thank you very much for the replies. I appreciate them since I was stumped and kicked back to n00b status.
New question - Are there multiple logins into the web gui/interface? I have 5 IPs and each goes to a different company. Is it possible for me to give company #3 a unique login from company #2? So that each can log in and screw up their individual IPs but not the overall pfsense box?
Thx!
-
That is something where i can't give any answers, but i'm also interested. at least you can have multiple users and multiple groups and you can give lot of different rights.
-
As far as I know, this one can be done. Go to System>User Manager. This is for pf2.
@pf123user:New question - Are there multiple logins into the web gui/interface? I have 5 IPs and each goes to a different company. Is it possible for me to give company #3 a unique login from company #2?
But for this, I am not sure. I would also like to know how.
@pf123user:So that each can log in and screw up their individual IPs but not the overall pfsense box?
-
You can have multiple users for the GUI in 2.0, but permissions are given on a per-page basis, not a per-setting/per-interface basis. So if you give someone access to the interfaces page, they can get all of the interfaces not just "theirs".
-
You can have multiple users for the GUI in 2.0, but permissions are given on a per-page basis, not a per-setting/per-interface basis. So if you give someone access to the interfaces page, they can get all of the interfaces not just "theirs".
Thanks for the reply. I have VZN FiOS 150/65 with 5 external static IPs (same ONT and shared bandwidth) and one TWC static 50/5 backup (which I will try to load balance/failover tomorrow).
We have 5 businesses in our office, all of which have seperate compliance, risk, etc. I would ideally like to have 5 logins who can each see only their "stuff" (and access shared resources I put on an additional "common" interface).
Additionally (and I haven't tought this out fully yet), since I only have one backup IP (not a corresponding block of 5 external IPs) is it possible to setup isolated blocks of port forwarding on the failover line and keep those seperate or if my primary ISP goes down will everyone be able to see eachother on the secondary ISP? (I understand Rules Vs. NAT and internally they will stay seperate… I'm asking about external access in.)
re: multi user logins... 2.0 is the only option? with 123 only one admin is possible?
Thx very very much for the responses and help so far. It is much appreciated.
