Do I need a router? ISP Provides WAN and "LAN" ips? (LAN ips are my Public IPs)

sierradump

@sierradump:

My question/goal is can I use a SINGLE pfSense instance to utilize the public IPs the way the ISP has provided us service.

i.e.

em1 (corp lan) = yyy.yyy.32.226

em2 (guest wifi) = yyy.yyy.32.227

etc…

No and the reason isn't a deficiency in pfsense. It's a limitation of IP networking. All interfaces in a single machine must define a unique network. What you are showing has em1 and em2 both belonging to your /27. This is ambiguous and either one or both interfaces will stop working once you configure the second one this way.

But I thought what you were looking for was multiple separate private IP networks NAT'd to single individual public IPs out of your /27 ?

Gderf,

My apologies, was getting late and I was sloppy with my response - you were correct in your asssumption that I want private /24 on my LAN interfaces NATd out separate public IPs…

I.e.

em1 (corp LAN): 192.168.1.1 /24. NAT: yyy.yyy.32.226

em2 (guest WiFi): 172.16.1.1 /24. NAT: yyy.yyy.32.227

Is this possible??? Would I still use VIPs to accomplish this? The limitation with the VIPs that I experienced using PARP was that the subnet on pfSense WAN, /30, was applied to my VIPs.

I.e. when I set up the PARP using either single address or network, and specify the /27, upon creating the 1:1 NAT rule for a given PARP address such as yyy.yyy.32.229 - pfSense seemed to apply the WAN /30 and the PARP IP would appear as yyy.yyy.32.230 one leaving pfSense - even though it was set correctly inside VIP as yyy.yyy.32.229???

gderf

The way I have done this in the past had a separate router connected to the ISP's /24 gateway (your /30) that provided my /29 on the LAN port (your /27). This is analogous to that pricey router they offered you. It was a Speedstream 5660 ADSL router and all I had was a 1.5mbit circuit. I could also have built my own router from a junk PC, two NICs, and run one of those tiny router distros from a floppy disk. The interface to the ISP in this scenario would be an ATM to Ethernet ADSL bridge modem. Either way, it was still a separate router.

The firewall box (an old PC running GTA GB-Flash v3.4.2, commercial, FreeBSD based like pfsense, but not free) had its WAN interface with one of my usable /29 IPs. The remaining IPs in the routed /29 subnet were assigned to the WAN as "Alias IPs."

The other interfaces in the firewall box all had private IP networks and they were NAT'd out to the WAN IP Alias IP address of choice.

This is AFAIK, the more or less standard way of doing this.

I'd like to think that if there is some way to do this with a single pfsense box that did not require that separate router (to link your /30 to the /27), then someone would have provided the answer already.

Lurkers please chime in if it really can be done with one box.

One thing I can suggest but have no idea if it would actually work is this:

Configure your WAN interface for the /30

Configure an interface for the /27 with one IP defining the interface, no gateway, and some or all of the remaining available IPs as Alias IPs. Do not plug anything into this ethernet port.

Configure another interface as a private network and see if you can NAT it out via an IP on the /27.

I'd be surprised if it worked. If it does work, keep adding interfaces on unique private networks. If it all works after very careful testing, you got lucky.

sierradump

@Metu69salemi:

PARP can't be used by pfsense itself

and can you please explain why you need an another router between pfsense and isp?

i've got single wan + static ip's & 3 lans and each lan is using their own static public ip

and you may use firewall rule to block that access to your datacenter. just remember, rules work on ingress and top to down order

Metu69Salemi,

I suspect your Static IPs are on the same network as your WAN link… My WAN link is a /30 , and my Static IPs are a in a /27.

sierradump

Thanks Gderf,

This is what I suspected all along.

Who makes me a nice router-specific software (instead of using pfSense?). I have a dual XEON SOCKET 2.6Ghz 1u server with 2 Gbit and 1 FE NIC. I could build my own Router I suppose? Is Vyatta a good choice? OR, do I simply use pfSense again?

phorce1

Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.

em0 – WAN -- .82.218
Gateway .82.217 (default)

em1 -- .32.226
No gateway

em2 -- .32.227
No gateway

em3 -- .32.227
No gateway

Go to Firewall-->NAT-->Outbound and set it to MANUAL.

Delete the rules that show up (auto-generated rules that make the /27 get NATed to the WAN address)

At this point your /27 is "live" on em1 to em7

Set the CARPs (or PARPs) back up the way you had them working before but use the em1 - em7 .32.2xx addresses.

This is the point where I lose it completely. My setup is simple public IP straight passthrough so I have no clue how to work with CARP. But from this point (NAT off) you should be able to connect the private address ranges to individual interfaces and create MANUAL NAT rules from private IP range ---> single public IP. the public IP will be passed through the WAN gateway intact.

Somebody beat me with a wet noodle if I'm too far off base. I can't flesh it out any further due to the fact that I just started using pfSense a few days ago myself.

I only have two interfaces in my pfsense box or I'd try hanging a private range off of one of my public IP's here as proof of concept.

Gerald

gderf

You could pick from the rather extensive list here:

http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions

I would probably do the most minimal install of any BSD or Linux I was up on since I already have the software lying around. The only things you need are the networking stack and some way to manage it remotely such as sshd. There is always a lot of baggage that comes in with a default install, and it's probably best to do that and try to slim it down later rather than be too stingy going in and wind up with a non-working install.

If you don't need remote management, you can just use a keyboard and monitor. After a while, you would probably disconnect these until needed again which could be very rarely. Just make sure the BIOS will handle booting all the way in with a missing keyboard.

The only thing that needs configuring is enabling routing between interfaces, and configuring the two NICs. You might want to port scan the box once it comes up to be sure that no unnecessary services are running. And perhaps verify the actual thruput to be sure it is not a bottleneck.

I guess none of my other suggestions worked?

Not being a current pfsense user probably doesn't help much - I'm on m0n0wall these days.

I seem to remember that the GB-Flash I was using long ago would allow Alias IPs on the WAN that were on another network, so you could have a /30 WAN and Alias the /27 onto it. But I never had a need for that type of setup and the software has long since been filed away and no loner in use.

Let us know how this works out for you. That huge up-charge for that ISP supplied router is a big incentive to get this done yourself.

gderf

@phorce1:

Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.

em0 – WAN -- .82.218
Gateway .82.217 (default)

em1 -- .32.226
No gateway

The above works.

When you add this

em2 – .32.227
No gateway

it stops working.

You can't have two interfaces in the same machine define the same network.

phorce1

@gderf:

@phorce1:

Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.

em0 – WAN -- .82.218
Gateway .82.217 (default)

em1 -- .32.226
No gateway

The above works.

When you add this

em2 – .32.227
No gateway

it stops working.

You can't have two interfaces in the same machine define the same network.

How about:

em0 – WAN -- .82.218
Gateway .82.217 (default)

em1 -- .32.225 (/27)
no gateway

em2 -- .32.226
Gateway .32.225

em3 -- .32.227
Gateway .32.225

etc.

gderf

Specifying or not specifying a gateway isn't what breaks things.

Having two or more network adapters defining the same network in the same machine does break things.

He could split his One /27 into

Two /28s or
Four /29s or
Eight /30s

or a valid combination of fewer of each of the above, and put them on individual interfaces. These would become different networks so it would be legal and it would work. But that doesn't solve his problem.

phorce1

For his purposes breaking it into 8 /30 nets would probably work. He doesn't appear to have that many private networks he wants to NAT out. But he's already shopping for a router to make the /27 available to the pfSense box directly.

gderf

No, breaking his /27 into any set of smaller networks does not solve his problem because he cannot NAT to them out the WAN from private networks.

sierradump

@gderf:

@phorce1:

Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.

em0 – WAN -- .82.218
Gateway .82.217 (default)

em1 -- .32.226
No gateway

The above works.

When you add this

em2 – .32.227
No gateway

it stops working.

You can't have two interfaces in the same machine define the same network.

The above doesn't work for me though, as I don't want public IPs on my LAN interfaces :) I want private IPs 192.168.1.1 /24 etc… I want them NATd to public IPs...

gderf

I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.

sierradump

Will be building router later to try this out…

sierradump

@gderf:

I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.

Right, no I absolutely appreciate your help! I liked how you know your networking. I know it wouldn't work but I didn't know the "reasoning" I knew it had to do with the /30 and /27 over the WAN link but didn't know why, now I do :)

Thanks!

dhatz

sierradump, you can always try pfsense commercial support.

Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)

Try using ProxyARP VIPs and Manual Outbound NAT (AON).

sierradump

@dhatz:

sierradump, you can always try pfsense commercial support.

Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)

Try using ProxyARP VIPs and Manual Outbound NAT (AON).

Sad face. Tried this early on, it sort of worked but had broken functionality.

dhatz

@sierradump:

Tried this early on, it sort of worked but had broken functionality.

Broken functionality how?

I've tried it in the past and it seemed to work, although I haven't tested it thoroughly or used it in production.

anagh

use isp wan series on wan side and isp lan series i.e first public ip on lan side
open firewall nat click Manual Outbound NAT rule generation and SAVE
delete all auto generated nat rule

gderf

@anagh:

use isp wan series on wan side and isp lan series i.e first public ip on lan side
open firewall nat click Manual Outbound NAT rule generation and SAVE
delete all auto generated nat rule

This doesn't provide the private IP network interfaces he requires.