Forwarding DHCP-obtained IPs to another firewall.

LSDave

I have read a lot about portforwarding, 1:1 NAT, transparent bridges and Virtual IPs, but I cannot grasp the solution to my problem.  Your time and comments are appreciated.

Underneath it all, I have an ESXi 5.0 Server with four vSwitches

• vSwitch0 – Physical LAN adapter (192.168.122.0)
  vSwitch1- Physical WAN adapter (DHCP assigned IPs)
  vSwitch2 – Pure Virtual – used as DMZ network (192.168.221.0)
  vSwitch3 – Pure Virtual – new, intended for traffic between pfSense and ISA (10.112.221.0)

OLD CONFIGURATION:  I have an ISA Server VM which has handled all traffic and published sites between my LAN (vSwitch0), External (vSwitch1) and DMZ (vSwitch2).  The ISA’s External NIC obtains a DHCP-assigned public IP address from my ISP.  It is always the same address (216.xxx.xxx.xxx), based on the interface’s MAC address.  In my public DNS, I have published some public servers and myname.com to 216.xxx.xxx.xxx and it has worked flawlessly.

Unfortunately, ISA only works with one DHCP assigned public IP.  This limitation occurs for the following reasons. (1) ISA Server allows only one External NIC—sure, you can add more NICs but only one can be External.  (2) Windows networking, a given NIC allows only one DHCP-obtained IP address.  Sure, you can add static IPs galore, but DHCP works with MAC addresses, and its one IP per MAC address.  I require a second public IP for publishing my site services and https:// for my other domain, mybusiness.com.  I want to continue working with ISA Server.

To recap: I want ISA Server External NIC to answer for two public IPs, but I can’t have two External NICs on ISA, and I can’t get two DHCP addresses on one External NIC.  I need a method for obtaining two DHCP IPs and then transparently aliasing/forwarding/routing/1:1 NATing/bridging both addresses to ISA's External NIC.

NEW CONFIGURATION:  Enter pfsense.  I placed pfSense v. 2.0.3 VM between my cable modem and ISA External NIC.  pfSense has four interfaces:

• LAN – on vSwitch0, only for trouble-free webGUI access during this learning process (192.168.112.69)
  WAN1 - on vSwitch1, obtains public IP address from my ISP’s DHCP (216.xxx.xxx.xxx)
  WAN2 - on vSwitch1, obtains public IP address from my ISP’s DHCP (76.yyy.yyy.yyy)
  OPT1 - on vSwitch3 dedicated for traffic between pfSense and ISA (10. 112.221.1)

In Pfsense, for WAN1 I spoofed the MAC address of the ISA Server’s External NIC, so that WAN1 is assigned my regular 216.xxx.xxx.xxx IP address.  WAN2 is assigned an address on a different subnet with a different gateway (it’s always 76.yyy.yyy.yyy).  I intend OPT1 and vSwitch3 purely for traffic to/from the ISA External NIC.

For ISA Server's External NIC, I changed from vSwitch1 to vSwitch3 for traffic to/from pfSense's OPT1 interface. Because the External NIC's MAC has been spoofed above, I manually added a new MAC address value in the NIC's Configuration to avoid duplication.

How do I configure pfSense to forward all WAN traffic to ISA’s External NIC?  Ideally, I want ISA to think that the public addresses are its addresses.  I want to go into ISA’s External NIC Internet Protocol (TCP/IP) Properties, and statically assign the obtained 216.xxx.xxx.xxx and 76.yyy.yyy.yyyy addresses to it, and have ISA handle all the traffic directed at those addresses.   Please, how do I accomplish this?  If that's not possible, then I want pfSense to forward traffic based on Source in a way that ISA rules and logs sees the original source IP–not pfSense's OPT1's interface.

I've tried to be as clear as possible.  Please respond with clarifying questions if what I've said is confusing.  Thank you.

pinoyboy

To clear this up and get more / better response, I would suggest a simple diagram of what you have, and what you want.  Simple is better in explanations and design.