Multiply Public IPs

KDB9000 · Mar 3, 2007, 3:33 AM

I have an internet line that has multiply public IPs and I am having trouble getting them to go to the right servers. I have 3 servers and 4 usable IPs (might be able to get more but that is later). I have don't NAT to try and get it working but it doesn't seem to work. Any one have any ideas?

hoba · Mar 3, 2007, 3:49 AM

You first need virtual IPs for the additional IPs at WAN (firewall>virtual IPs). Depending on what your conection requires type "other" (just accepts the IPs) or "proxy arp" (generates Layer2 messages for the additional IPs) should work. After that you can NAT them. A firewallrule is needed additional to this to permit the traffic.

iLoVe.cF- · Mar 3, 2007, 12:01 PM

i wanna do the same thing.. but cant get it to work either :S

hoba · Mar 3, 2007, 4:53 PM

@iLoVe.cF-:

i wanna do the same thing.. but cant get it to work either :S

I DO the same thing and it works. Post more details and we mght be able to help you. Just "can't get it to work" is not helpful.

KDB9000 · Mar 5, 2007, 3:33 PM

I have done all that. Virtual IPs, then NATed them, and the NAT created my firewall rules. I have tried other and proxy ARP and checked to see if it would work outside using an anonymous proxy. All I get is a time out error. Any way to tell that I need Layer 2? My stuff is 64.20.192.185 - 190 subnet mask is 255.255.255.248. Here is a screen shot of the rules that the NAT created and the NAT settings. Yes there are 2 with the same address, one of them is for UDP only and the other is for TCP only.

hoba · Mar 5, 2007, 6:18 PM

What kind of device is in front of you? Maybe reset this device or dump the arp cache. If nothing helps try VIP type CARP.

KDB9000 · Mar 5, 2007, 6:59 PM

@hoba:

What kind of device is in front of you? Maybe reset this device or dump the arp cache. If nothing helps try VIP type CARP.

What do you mean by "what kind of device is infront of you?" The only thing between me and my ISP is there gateway.

hoba · Mar 5, 2007, 7:39 PM

Then reset this gateway. It might have some old arp cache.

KDB9000 · Mar 6, 2007, 2:04 PM

Reset or restart? I restarted the system and still doesn't work. I have tried all but the CARP.

KDB9000 · Mar 6, 2007, 3:49 PM

Hoba, can you show me your set up? Here is my NAT 1:1 I was trying to do as well as the error I get:

Acknowledge All .:. 03-06-07 10:41:03 - [filter_load]There were error(s) loading the rules: /tmp/rules.debug:37: macro opt1 not defined/tmp/rules.debug:37: syntax error/tmp/rules.debug:38: macro opt1 not defined/tmp/rules.debug:39: macro opt1 not definedpfctl: Syntax error in config file: pf rules not loaded The line in question reads [37]: binat on $opt1 from 10.10.15.1/32 to any -> 64.20.192.187/32 .:.

KDB9000 · Mar 8, 2007, 2:12 PM

If any one could post screen shots of there working NAT or NAT 1:1 for multiply public IPs, that would be helpful. Thx.

KDB9000 · Mar 9, 2007, 1:09 PM

bump?

KDB9000 · Mar 12, 2007, 3:26 PM

How do I reset my ARP cache without redoing my whole gateway? And, if someone could post a screen shot of their NAT and/or NAT 1:1 with multiply public IP's, that would be helpful.

hchady · Mar 13, 2007, 9:46 AM

delete all your existing WAN rules, restart your pfsense box

and then create new rules on WAN interface to pass trafic from any to your VIP adresses
using proxy ARP for VIP it should works but your VIP cannot be pingeable or reseolved from outside and i think there is no way to do that with pfsense

KDB9000 · Mar 13, 2007, 1:48 PM

I keep hearing it should and I believe it should, but it isn't. I am not sure what is wrong, even if I start over I would most likely be stopped here again. I cleared out my WAN2 rules, restarted the box, used proxy ARP for VIP, and set the NAT 1:1 to the right IP and I am still getting load errors. I am doing load balancing and changed the interface to the WAN2, could there be a problem were it only works on WAN?

hoba · Mar 13, 2007, 9:02 PM

Maybe just a problem of the way how you are testing? You have to test this from outside your network coming from WAN. 1:1 NATs are not nat reflected. This only works for portforwards but not for 1:1's. However you should not get these errors as alerts. Maybe having a look at your config.xml might help. Please send it to holger.bauer <at>citec-ag <dot>de and I'll throw it at a testsystem.</dot></at>

Juve · Mar 13, 2007, 9:18 PM

I have several installations with public IP ranges. Here is what I do everywhere:

One (ore two) pfsense box with at least 3 ethernet cards: WAN LAN DMZ (optional SYNC card for cluster ;-) )

WAN got ip 192.168.1.1/24
LAN got ip 172.16.1.254/16 (anything RFC1918 compliant)
DMZ got the public range.

The big step is to call you ISP and to explain to the technical staff to disable the NAT function on your WAN router and to put a static route for you public IP range pointing to your WAN IP.

so it looks like:

By this way you are master of your whole public range, you can filter the traffic as it pass through pfSense and continue using good things like synproxying.

KDB9000 · Mar 19, 2007, 3:03 PM

Well, I got it working last week. Not sure what was different. Would having NAT rules and NAT 1:1 (of the same IPs) cause a problem? that is the only thing I can thing of. I was going out one internet line to come in the other (1 line has 1 IP the other has 5). So it is working now. Everything is working now. Hoba, any chance there might be a way to transparent proxy a load balance system in the future? Just wondering.

hoba · Mar 19, 2007, 3:26 PM

With the current implementation of loadbalancing probably not but I might be wrong. Who knows ;)