Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT - 1:1 - or VIP's or….what?

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 3 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      fusionp
      last edited by

      Hi all,

      I've had a little look at NAT and 1:1, and at the moment I NAT 700+ internal IP's over 12 circuits, each circuit having 1 public IP.

      My questions are, if I buy a block of 1000 public IP's from my ISP would I then just do 1:1 NAT so each customer receives his own IP?
      At the moment I have one internal subnet using 172.16.0.0/16(yes I know it's a large broadcast domain), I may split this into 3 separate subnets, 10.1.0.0/22, 10.1.4.0/22 an 10.1.8.0/22.

      How would one go about giving each subnet a block of public IP's, can I make them sticky like in DHCP?

      Any help much appreciated.

      1 Reply Last reply Reply Quote 0
      • S Offline
        stsowen683
        last edited by

        Fusionp,

        A 1:1 for each customer would probably be a royal pain in the butt to maintain. I would suggest getting your own PI block and ask your ISP to host the BGP advertisement for the block. They could then route the entire block to you via a single static public on your WAN. The first usable would then be on your LAN. From there you could run DHCP on the LAN handing out your public addresses. It would look something like this…

        (BGP at ISP)------------>(ISP ASSIGNED IP)[pfSense](PI BLOCK FIRST USABLE)–------->customers...

        The ISP would route your PI block through your WAN IP. You would need to set pfSense in 'router only mode' from the advanced options.

        If you are set on NATing these, I would create three VLANs or use three physical interfaces, and have your ISP assign you three different blocks to your WAN. You could then use IP alias on your WAN for the various IP addresses.

        1 Reply Last reply Reply Quote 0
        • F Offline
          fusionp
          last edited by

          Thanks stsowen683

          Currently I use multi wan load balancing, will the BGP option work across many links, and will a client device which is issued a public IP via the ISP work if it's connection goes out a different interface every few minutes? In fact if I use the NAT/Alias option would this also be affected with multi wan?

          Thanks for the suggestions!

          1 Reply Last reply Reply Quote 0
          • C Offline
            cmb
            last edited by

            You're an ISP I presume, you shouldn't be NATing anything. Route public IPs, and have BGP advertisements out all your connections prepended as desired for ingress balancing. Your customers should have public IPs directly assigned to them, no NAT.

            1 Reply Last reply Reply Quote 0
            • F Offline
              fusionp
              last edited by

              Thank you, we are looking to register with RIPE in Europe to lease/but a block of public IPs. My understanding of BGP is limited at best. I'm trying to understand it, lets say I receive a /22 block of public IP's, my ISP then implements BGP and I issue out those public IP's to my clients, if I had four interfaces/circuits to the ISP and multi-wan load balancing, would I divide up the /22 to issue out public IP's equally over the 4 interfaces? I'm battling to see how my balancing would work if it's session based.

              Granted my knowledge in this area is lacking, but the simple question I have is, can I have both the balancing operational and the public IP's split over many WAN links?

              1 Reply Last reply Reply Quote 0
              • S Offline
                stsowen683
                last edited by

                @fusionp:

                Thank you, we are looking to register with RIPE in Europe to lease/but a block of public IPs. My understanding of BGP is limited at best. I'm trying to understand it, lets say I receive a /22 block of public IP's, my ISP then implements BGP and I issue out those public IP's to my clients, if I had four interfaces/circuits to the ISP and multi-wan load balancing, would I divide up the /22 to issue out public IP's equally over the 4 interfaces? I'm battling to see how my balancing would work if it's session based.

                Granted my knowledge in this area is lacking, but the simple question I have is, can I have both the balancing operational and the public IP's split over many WAN links?

                fusionp,

                That is a bit of a brain teaser. I have used multi-wan on pfSense before, but never in a configuration I wasn't NATing. There are essentially two ways to utilize your PI block. First, you can ask your upstream ISP to advertise your block via BGP for you then route the entire block via a single circuit/IP on your WAN or cut the block up and route it via multiple circuits via WAN1, WAN2, WAN3. You would then assign one IP from each section to corresponding 'inside' interfaces like LAN, OPT1, OPT2. I don't see how you could have these dynamically load balance though.

                The second option is the one I would take if it was my network. I would install the package OpenBGP and BGP peer with your upstream carrier(s). In this configuration, you are actually advertising your own block to the rest of the Internet. I'm not sure how this would play using the same carrier on all your WAN links, and depending on what is downstream from you you might need a LOT of ram, but you would essentially get the load balancing you want as a side effect of using BGP.

                You can set up a simulation with four pfSense boxes. Set up three of them as the 'ISP peers' and one as 'You'. Make up some nonsense IP addressing and set up the OpenBGP peering between them. You will see how the traffic will get distributed across links and how it will provide failover in the event you unplug one of the links. BGP has a lot of knobs and switches so play with those and see how it effects which links are favored etc. You will need to put a workstation or something 'beyond' the ISP peers that you can send and receive traffic to/from.

                1 Reply Last reply Reply Quote 0
                • F Offline
                  fusionp
                  last edited by

                  Thanks stsowen683, good useful info! I'll look into that.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.