Do I need a router? ISP Provides WAN and "LAN" ips? (LAN ips are my Public IPs)
-
You could pick from the rather extensive list here:
http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions
I would probably do the most minimal install of any BSD or Linux I was up on since I already have the software lying around. The only things you need are the networking stack and some way to manage it remotely such as sshd. There is always a lot of baggage that comes in with a default install, and it's probably best to do that and try to slim it down later rather than be too stingy going in and wind up with a non-working install.
If you don't need remote management, you can just use a keyboard and monitor. After a while, you would probably disconnect these until needed again which could be very rarely. Just make sure the BIOS will handle booting all the way in with a missing keyboard.
The only thing that needs configuring is enabling routing between interfaces, and configuring the two NICs. You might want to port scan the box once it comes up to be sure that no unnecessary services are running. And perhaps verify the actual thruput to be sure it is not a bottleneck.
I guess none of my other suggestions worked?
Not being a current pfsense user probably doesn't help much - I'm on m0n0wall these days.
I seem to remember that the GB-Flash I was using long ago would allow Alias IPs on the WAN that were on another network, so you could have a /30 WAN and Alias the /27 onto it. But I never had a need for that type of setup and the software has long since been filed away and no loner in use.
Let us know how this works out for you. That huge up-charge for that ISP supplied router is a big incentive to get this done yourself.
-
Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.
em0 – WAN -- .82.218
Gateway .82.217 (default)em1 -- .32.226
No gatewayThe above works.
When you add this
em2 – .32.227
No gatewayit stops working.
You can't have two interfaces in the same machine define the same network.
-
Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.
em0 – WAN -- .82.218
Gateway .82.217 (default)em1 -- .32.226
No gatewayThe above works.
When you add this
em2 – .32.227
No gatewayit stops working.
You can't have two interfaces in the same machine define the same network.
How about:
em0 – WAN -- .82.218
Gateway .82.217 (default)em1 -- .32.225 (/27)
no gatewayem2 -- .32.226
Gateway .32.225em3 -- .32.227
Gateway .32.225etc.
-
Specifying or not specifying a gateway isn't what breaks things.
Having two or more network adapters defining the same network in the same machine does break things.
He could split his One /27 into
Two /28s or
Four /29s or
Eight /30sor a valid combination of fewer of each of the above, and put them on individual interfaces. These would become different networks so it would be legal and it would work. But that doesn't solve his problem.
-
For his purposes breaking it into 8 /30 nets would probably work. He doesn't appear to have that many private networks he wants to NAT out. But he's already shopping for a router to make the /27 available to the pfSense box directly.
-
No, breaking his /27 into any set of smaller networks does not solve his problem because he cannot NAT to them out the WAN from private networks.
-
Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.
em0 – WAN -- .82.218
Gateway .82.217 (default)em1 -- .32.226
No gatewayThe above works.
When you add this
em2 – .32.227
No gatewayit stops working.
You can't have two interfaces in the same machine define the same network.
The above doesn't work for me though, as I don't want public IPs on my LAN interfaces :) I want private IPs 192.168.1.1 /24 etc… I want them NATd to public IPs...
-
I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.
-
Will be building router later to try this out…
-
I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.
Right, no I absolutely appreciate your help! I liked how you know your networking. I know it wouldn't work but I didn't know the "reasoning" I knew it had to do with the /30 and /27 over the WAN link but didn't know why, now I do :)
Thanks!
-
sierradump, you can always try pfsense commercial support.
Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)
Try using ProxyARP VIPs and Manual Outbound NAT (AON).
-
sierradump, you can always try pfsense commercial support.
Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)
Try using ProxyARP VIPs and Manual Outbound NAT (AON).
Sad face. Tried this early on, it sort of worked but had broken functionality.
-
Tried this early on, it sort of worked but had broken functionality.
Broken functionality how?
I've tried it in the past and it seemed to work, although I haven't tested it thoroughly or used it in production.
-
use isp wan series on wan side and isp lan series i.e first public ip on lan side
open firewall nat click Manual Outbound NAT rule generation and SAVE
delete all auto generated nat rule -
use isp wan series on wan side and isp lan series i.e first public ip on lan side
open firewall nat click Manual Outbound NAT rule generation and SAVE
delete all auto generated nat ruleThis doesn't provide the private IP network interfaces he requires.