Multiple Static IPs Comcast - Recommended Equipment Please
-
Ok. I may avoid "renting" out the one VM, as from what I can tell, it would require VLAN'ing and that will from what I've read, take getting a layer 3 switch at a minimum. A used/pulled/out of lease 3570G-24 would run around $170ish. Not too bad really, but, would loose the point in renting out the VM which was to offset the difference in price being paid (additionally) for the business class.
However, with that in mind.
I've got pfSense setup for the business class. DG: xxx.xxx.xxx.238, with pfSense having WAN IP of xxx.xxx.xxx.237. All devices connected to the procurve (connected to the LAN of pfSense) when googling a "what is my ip" results in xxx.xxx.xxx.237 as I would expect. Cool,… progress (even if insignificant to anyone here, I feel a resounding feeling of success lol). So, let's try that port forwarding of VM1 which has a LAN IP of 192.168.1.6
http://i.imgur.com/tGXKmr6.jpg
Does that look right? Those are ports for the game server (aside from 3306 of course we know what that is).
Using the client from the residential line, it appears to try to connect to the server, but, doesnt. So I did a "what is my ip" from the servers browser. xxx.xxx.xxx.237 hmmm.. I was hoping for xxx.xxx.xxx.233
Now, I could go 1:1 NAT as suggested, but, it was noted that would allow ALL traffic to/from that server VM. So I disabled the port forwarding (not sure it was necessary probably not from what I read), and did a 1:1 NAT, for xxx.xxx.xxx.233 <-> 192.168.1.6 -- zinga! success, googling "what is my ip" resulted in xxx.xxx.xxx.233, however, now I'm wide open right? That's not good.
So, back to port forwarding? If so, is my port forwarding setup wrong? Or, is that what Firewall -> NAT -> Outbound is for? Seems like it -might- be, though I'm uncertain how to configure that.
Thus, for all intents and purposes, lets just ignore isolating the VM's from the rest of the LAN. That I'll save for a better day, armed with far more knowledge. For now, I'd just be happy getting VM1 to/from traffic of 192.168.1.6 <-> xxx.xxx.xxx.233 while having a firewall in place (i.e. deny all, but specified what IS allowed).
Assistance is greatly appreciated.
-
Ok, just adding onto this a little.
I'm perplexed. From how I understand things, a 1:1 NAT is simply saying, "whatever comes to/from xxx.xxx.xxx.233, do to/from 192.168.1.6" BUT, also in the many of the same posts (not just here, I'm trying to utilize many resources to soak up knowledge), it seems that, while that's all well and good, I would still NEED to setup the "allows" of what traffic (port traffic) is ALLOWed to/from xxx.xxx.xxx.233 / 192.168.1.6
If that's the case, then, any ideas of why when I setup a 1:1 NAT for xxx.xxx.xxx.233 <-> 192.168.1.6, ports that the gameserver used were able to be accessed/"talked to" from the game client (being run off the residential, so definitely not an internal LAN IP, thus "outside") when I hadn't set up any rules?
This leads me to believe maybe I missed a step in creating the 1:1 NAT, which is I suppose allowing all traffic right from the get go? That's not good or desired. :p
Yeah, here is a post from jimp:
https://forum.pfsense.org/index.php?topic=84214.msg461907#msg461907
Where he states, "The ports are not automatically exposed: 1:1 NAT maps all the external ports on that IP to the internal IP but you must still have firewall rules to allow the traffic to reach the local server."
I have no idea then how I was able to login to my gameserver, when all I had was the 1:1 NAT (Firewall -> NAT -> 1:1). :(
A screenshot of the 1:1 NAT for xxx.xxx.xxx.233 <-> 192.168.1.6 in case it might help anyone follow along/assist:
http://i.imgur.com/td2mnyw.jpg
-
If the ports are not open you cannot connect from the outside despite what NAT rules you have in place.
Did you enable UPnP or something?
You're using both of these in the same place. Sure they're not sharing the same LAN somehow?
You do not need a Layer 3 switch to use VLANs. VLANs are Layer 2. You just need a managed switch. You can get an 5-port managed switch for under $40. 8-port for under $50.
-
If the ports are not open you cannot connect from the outside despite what NAT rules you have in place.
Did you enable UPnP or something?
Not to my knowledge, I'll try to find where that/those settings may be though.
You're using both of these in the same place. Sure they're not sharing the same LAN somehow?
I'm positive. I used a laptop connected directly (and barely, ugh I know) to the residential cable modem, which ran the game client. The game server is indeed on the business line via procurve switch via pfsense.
You do not need a Layer 3 switch to use VLANs. VLANs are Layer 2. You just need a managed switch. You can get an 5-port managed switch for under $40. 8-port for under $50.
Oh, well… that is -very- nice to read then. I have one of those, the HP Procurve 1810G-24 I have is Layer 2. (But for now, I'm putting off the VLAN'ing, as I dont plan to "rent" out a VM at this time, the VM we're discussing now is going to run -my- game server)
*Ok, found Services -> UPnP & NAT-PMP
http://i.imgur.com/cwCYmFY.jpg
http://i.imgur.com/mDox44U.jpg
I really have no idea what on my net is using .200 if anything? Pinging it results in nothing, maybe something that was once on my LAN (its outside the DHCP range, that has existed on this thing for 3-4 years, so was something statically assigned at some point). Would the UPnP the way it is configured have caused me outside access to xxx.xxx.xxx.233 <-> 192.168.1.6 ?
So you confirm, even if I have 1:1 NAT set, until I open the ports (via Firewall -> Rules -> WAN and/or Firewall -> NAT -> Port Forward, if Im understading things correctly) should NOT be able to be accessed from the outside. Then, I am definitely at a loss with my limited knowledge. :/
All I can do is help with showing my configs and I'll do so gladly.
-
UPnP and NAT-PMP allow things inside your network (like gaming consoles and malware) to open inbound firewall rules.
Most who care about security consider them to be something of a bad idea. Hence they are both disabled by default.
-
No idea. you need to pass the ports you need to pass. This thread should probably be split into Gaming.
I know the ports I need to pass, just not quite sure the method of doing so.
TCP/ 3360 -> 192.168.1.6 -> xxx.xxx.xxx.233 (VIP) TCP/UDP 5998-5999 -> 192.168.1.6 -> xxx.xxx.xxx.233 (VIP) TCP/UDP 7778 -> 192.168.1.6 -> xxx.xxx.xxx.233 (VIP) UDP 7000-7500 -> 192.168.1.6 -> xxx.xxx.xxx.233 (VIP)I mean, port forwarding I'm comfortable with. But doing just that, still results in the game server (VM) resulting in showing xxx.xxx.xxx.237 when a "what is my ip" via browser (pfSense's WAN) vice xxx.xxx.xxx.233 (VM's VIP)
-
To choose a specific VIP for outbound connections you need outbound NAT, not port forwards.
Unless you have a 1:1 in place that matches.
-
I have a 1:1 in place:
http://i.imgur.com/Yc8szPa.jpg
I have these port forwards (whether or not it's done correctly, I don't know, never did port forwarding on VIP's before):
http://i.imgur.com/KQKBvwt.jpg
So, now all that is left (if I am following correctly and assume the port forwards above are correct as well), is to make Outbound NAT rules, which, I'm completely lost on (the format it shows for the ones that do exist makes sense, the moment I press "Add" and am presented with that screen, I'm lost). I filled in what I think is right, thus far, but not sure of what else should go where on this screen:
http://i.imgur.com/BZNwfld.jpg
-
What is the real, assigned IP address on the "game server (VM)? Not the address that's port forwarded, notht e address you want it to appear as on the internet, the real IP address on your network for that server."
What, exactly, do you want to happen for inbound connections to that VM?
What, exactly, do you want to happen for outbound connections from that VM?
Be specific. Ports, destinations, everything.
This all really does work. It does exactly what you tell it to do.
-
What is the real, assigned IP address on the "game server (VM)? Not the address that's port forwarded, notht e address you want it to appear as on the internet, the real IP address on your network for that server."
192.168.1.6 (LAN) that's the real address of the VM
What, exactly, do you want to happen for inbound connections to that VM?
I want inbound to be able to connect via the game server's (software) ports it's listening to and using to receive/send data for that game. Specifically ports:
TCP 3306
TCP/UDP 5998-5999
TCP/UDP 7778
UDP 7000-7500What, exactly, do you want to happen for outbound connections from that VM?
I want them to go to the player connecting from the Internet, using the same ports they came in on.
But I want their game client to "go" to xxx.xxx.xxx.233 and I want the server to respond back to them as xxx.xxx.xxx.233
This all really does work. It does exactly what you tell it to do.
Of that I have no doubt. I'm just not fluent in its language unfortunately. :/ If I didn't address a parameter you were seeking, please let me know. I AM trying though, I promise you.
-
You do not have to do anything to get replies to go back out the IP address the connection came in on.
That is completely disconnected from the IP address you get when INITIATING A CONNECTION from the same host.
-
You do not have to do anything to get replies to go back out the IP address the connection came in on.
That is completely disconnected from the IP address you get when INITIATING A CONNECTION from the same host.
Ok.
Well, at this point. I have a 1:1 NAT setup.
http://i.imgur.com/Yc8szPa.jpg
So simply setting up Port Forwarding should allow the game server to, server the game.
That didn't do the trick.
So I figured there was MORE I had to do.
See, this is what I did (Port Forwarding):
http://i.imgur.com/tGXKmr6.jpg
The client still cannot connect successfully. Now, when I had just the 1:1 NAT and UPnP enabled, things worked, but, as you noted, UPnP is bad. So it's disabled.
I may be way off, but I sense a frustration. I'm sorry, I'm clueless. But, I'll admit that over and again.
-
Zinga.
It's working.
At some point, likely while trying to figure out how to make the ISP provided gateway a "dumb modem" or "pass-through" (according to what I've read), since it is unable to go into "true bridged mode" without losing its configuration for static ip's.. I managed to deviate from the original video in my OP.
After the 1:1 NAT, I should have (and have now done) added the Firewall -> Rules, manually. I did that in accordance with the video and, it works. No Firewall -> NAT -> Port Forward, no Firewall -> NAT -> Outbound NAT, just Firewall -> Rules -> WAN.
Ugh. I'm sure there are some following giving the ole "SMH" and perhaps I will later down the line as well as I continue to learn, not just -what- to do, but why. However, for now, I'm just happy things are working. I feel comfortable I'll keep the business line and can now call tomorrow to cancel the residential.
Derelict, I do greatly appreciate your assistance. I hope I didn't frustrate you/matters too much. I'll learn to walk one day, much less, get out of diapers. And I promise to pay it forward once I know my knowledge is sound and am within my limits to assist properly.
