Too Many Questions to list
-
OK first off lets get the formalities out of the way. I want to use PFsense as my main router for my business. I also have a /22 block of public IP's from my provider 8.31.x.x/22 that are routed to the wan IP of their equipment. I also am running a small wisp.
Here is what I require. Maybe someone can help my configure it or tell me it can't be done that way. and if you can thank you.I need to give out public IP to each customer. My billing company Bandwidth management unit will not pass out publics unless they are routed to the WAN interface of the BMU. In my current setup this is accomplished by simply plugging the WAN into my Providers equipment. But the fun stops there. I need to reserve say 25 of those 1000+ IP's for my webservers, pbx, etc. how would I breakup that /22 and still have the rest of those IP's routed to WAN port of that BMU?
I am thinking that I want my network to look something like this
–--->Company PC's (private IP's)
|
Internet---->Pfsense------>internal stuff (Public IP's)
|
---->Billing Company BMU--------->wireless gear (Public IP's)Now would I setup a pfsense box with 4 NIC's 1 WAN 1 Lan and 2 OPT?
How would I go about getting the IP's routed the correct way?
Any and all help is appreciated.
-
I'm on my phone so it'll be short will explain in more depth later.
from what I understand it looks good. 1 to 1 NAT is what you want.
-
I also have a /22 block of public IP's from my provider 8.31.x.x/22 that are routed to the wan IP of their equipment. I also am running a small wisp.
…
I need to give out public IP to each customer.
...
How would I go about getting the IP's routed the correct way?This depends on how the software/BMU works but is done via 1 to 1 NAT or 1:1 NAT (one to one NAT), 1 IP per device behind the firewall, allows you to assign a specific WAN IP to a specific internal device
http://doc.pfsense.org/index.php/1:1_NAT
pfSense needs to be able to see the device, otherwise it can give it an IP, in which case you would assign a block to the BMU and it would give IPs to the CPE.But the fun stops there. I need to reserve say 25 of those 1000+ IP's for my webservers, pbx, etc. how would I breakup that /22 and still have the rest of those IP's routed to WAN port of that BMU?
This is really up to you, you will lose some IPs when you split up the range given to you, this is of no issue if you have more IPs than devices/customers, but will be an issue should you need more later (though you could request more)
I am thinking that I want my network to look something like this
–--->Company PC's (private IP's)
|
Internet---->Pfsense------>internal stuff (Public IP's)
|
---->Billing Company BMU--------->wireless gear (Public IP's)Now would I setup a pfsense box with 4 NIC's 1 WAN 1 Lan and 2 OPT?
This diagram shows 3 NICs to be used on pfSense: Company, Internal, BMU.
-
This diagram shows 3 NICs to be used on pfSense: Company, Internal, BMU.
…and Internet is four! :)
Are you sure 1:1 NAT is way to go here that seems very long way to go about things especially with +1000 IPs. I would have thought a routed public IP solution would be more appropriate. :-
However since this sort of install is way beyond anything I've attempted I'll bow to experience. ;)Steve
-
in which case you would assign a block to the BMU and it would give IPs to the CPE.
Thank you for the advice. Now the question becomes… How do I assign a block to that particular IP?
-
First off thank you to the creators of PFsense for making such a great FREE product. Second thanks to XIII for the guidance it was the push in the right direction that I needed. In case anyone wants to know how I did it here it goes.
The drawing in my previous posts is correct WAN LAN OPT1 OPT2 all i did was follow the guidance of XIII and put the Public IP's in the blocks I wanted i.e OPT1 8.31.x.x/27 and OPT2 8.31.x.x/23 and assign plug into the ports tested and it works. thanks
-
I should have also explained the NAT a little better, I meant that with 1:1 each device is assigned an IP directly from the WAN side, not that you have to do each one individually, I should have mentioned that you can assign blocks of IPs with 1:1 NAT, that would have made it clearer.
Glad you got it working.
…and Internet is four! :)
I forgot about that one :D
-
Again thank you for the guidance. Now my only issue is kicking 100+ people offline long enough to implement all of this. But just to clarify. If my OPT2 is going to be going to my customers/BMU I would assign a private ip to it OPT2 and then a private to the BMU and then 1:1 nat the /22 block of IPs to it?
-
Apologize for the delay, was out of town.
Yes you would, I am not sure though as I do not know anything about your BMU.