Same WAN port, multiple IPs?
-
JohnPoz,
My Internet connection is Verizon FiOS with an up/down of 50/50. I may increase that when I switch to static IPs.As for "one of [my] friends puts up something someone doesn't like". I said friends, but they all have small businesses. For the moment, it'll just be advertising various small businesses. No blogs, etc.
I'm mostly doing this to learn how to do this kind of stuff. I'm ever the curious type.
As for going through the router, I have no problem doing this, using the router as a firewall, but I still need to have a public IP for my server and for the 2 VMs. I just don't know how to configure the router to do this, which is my whole reason for starting this thread.
Even if this whole experiment ends up a failure in the end, I'll still have valuable experience. I might have a hole in my wallet also, but I'd also have one if I took classes on this stuff. I have some much more fun learning hands-on.
-
Simplify things for yourself here.
Just setup virtual IP's (the static ones you'll get) {IP Alias} then 1:1 NAT them to the LAN / OPT subnet, leave each internal machine set as DHCP, and assign them static reservations in PFsense via MAC address. .
This way each port to each MAC/ IP reservation can be controlled through the ruleset. So you won't be exposing anything you do not want. Including DRAC.
If you want to take it a step further, get an account at DNSmadeeasy. Keep the DNS on external networks only here. Even if you have just one TLD, you can use subdomains as well as RFC2136 dynamic DNS through the external DNS.
EDIT:
Also, turn off DHCP on the ISP router after you've gotten the static IP set. And let PFsense handle this. The IP block will all be pointing towards the modem, which can be assigned as stated above, as alias', and use the gateway they provide with the block for all static IP's -
Host your DNS somewhere else. he.net comes to mind.
I would rather put a bunch of port forwards/rules in something like pfSense than maintain local "software" firewalls on a bunch of servers. Maybe that's just me.
-
Thanks, I'll look into this. Fwiw, I didn't get the ISPs router. I have straight Ethernet coming into the house, which is convenient for hooking up my APU box.
-
Thanks, I'll look into this. Fwiw, I didn't get the ISPs router. I have straight Ethernet coming into the house, which is convenient for hooking up my APU box.
So you have a fiber connection, even better. (I should have seen this you clearly pointed out APU)
What is the issue with using a 1:1 NAT ? -
I would also rather use centralized management for the firewall setup, eg. Using pfSense would be ideal. Earlier posts lead me to believe that such was not feasible.
As for DNS, my domain registrar already provides DNS, including DynDNS. This will work fine at first, during the early stages, when there are not many Domains. It's when there are more domains being added daily, assuming I get that far, that manually matching up everything by hand will become impossible.
Good advice, all around. Thanks everyone!
-
Ok, everyone keeps mentioning 1:1 NAT. My problem with is is, eh, I don't know what that is or how to use it. I'm gonna look that up now in the docs and/or wiki.
-
Ok, everyone keeps mentioning 1:1 NAT. My problem with is is, eh, I don't know what that is or how to use it. I'm gonna look that up now in the docs and/or wiki.
1:1 allows the segregation of port mapping on one interface to the specified IP. (Not the best explanation)
example:
External IP 172.184.25.2 using port 80
External IP 172.184.25.3 using port 80 and port 443and so on.
-
From the Definitive pfSense Guide (available to Gold Subscribers)
1:1 (pronounced one to one) NAT maps one public IPv4 address to one private IPv4 address. All traffic from that
private IPv4 address to the Internet will be mapped to the public IPv4 address defined in the 1:1 NAT mapping,
overriding your Outbound NAT configuration. All traffic initiated on the Internet destined for the specified public IPv4
address will be translated to the private IPv4, then evaluated by your WAN firewall ruleset. If the traffic is permitted
by your firewall rules to a target of the private IPv4 address, it will be passed to the internal host. -
That makes perfect sense! One to one, instead of one to many. Thanks Mr. KOM!
-
Ok. So, I finally made the switch to 5 static IPs. I've setup 1:1 for the 2nd of 5 IP addresses, and configured NAT rules, etc, but the firewall log shows no traffic going to it. I suspect this is because the WAN interface only knows about 1st address. If this is the case, then how do I tell my pfSense box that it has 5 IPs on the WAN, not just 1?
-
Oops,
I just reread the previous posts. I see now the solution is with Virtual IPs. Implementing that now.Thanks again for everyone's help!
