Do I need a router? ISP Provides WAN and "LAN" ips? (LAN ips are my Public IPs)
-
Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.
em0 – WAN -- .82.218
Gateway .82.217 (default)em1 -- .32.226
No gatewayThe above works.
When you add this
em2 – .32.227
No gatewayit stops working.
You can't have two interfaces in the same machine define the same network.
How about:
em0 – WAN -- .82.218
Gateway .82.217 (default)em1 -- .32.225 (/27)
no gatewayem2 -- .32.226
Gateway .32.225em3 -- .32.227
Gateway .32.225etc.
-
Specifying or not specifying a gateway isn't what breaks things.
Having two or more network adapters defining the same network in the same machine does break things.
He could split his One /27 into
Two /28s or
Four /29s or
Eight /30sor a valid combination of fewer of each of the above, and put them on individual interfaces. These would become different networks so it would be legal and it would work. But that doesn't solve his problem.
-
For his purposes breaking it into 8 /30 nets would probably work. He doesn't appear to have that many private networks he wants to NAT out. But he's already shopping for a router to make the /27 available to the pfSense box directly.
-
No, breaking his /27 into any set of smaller networks does not solve his problem because he cannot NAT to them out the WAN from private networks.
-
Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.
em0 – WAN -- .82.218
Gateway .82.217 (default)em1 -- .32.226
No gatewayThe above works.
When you add this
em2 – .32.227
No gatewayit stops working.
You can't have two interfaces in the same machine define the same network.
The above doesn't work for me though, as I don't want public IPs on my LAN interfaces :) I want private IPs 192.168.1.1 /24 etc… I want them NATd to public IPs...
-
I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.
-
Will be building router later to try this out…
-
I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.
Right, no I absolutely appreciate your help! I liked how you know your networking. I know it wouldn't work but I didn't know the "reasoning" I knew it had to do with the /30 and /27 over the WAN link but didn't know why, now I do :)
Thanks!
-
sierradump, you can always try pfsense commercial support.
Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)
Try using ProxyARP VIPs and Manual Outbound NAT (AON).
-
sierradump, you can always try pfsense commercial support.
Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)
Try using ProxyARP VIPs and Manual Outbound NAT (AON).
Sad face. Tried this early on, it sort of worked but had broken functionality.
-
Tried this early on, it sort of worked but had broken functionality.
Broken functionality how?
I've tried it in the past and it seemed to work, although I haven't tested it thoroughly or used it in production.
-
use isp wan series on wan side and isp lan series i.e first public ip on lan side
open firewall nat click Manual Outbound NAT rule generation and SAVE
delete all auto generated nat rule -
use isp wan series on wan side and isp lan series i.e first public ip on lan side
open firewall nat click Manual Outbound NAT rule generation and SAVE
delete all auto generated nat ruleThis doesn't provide the private IP network interfaces he requires.