Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Passing block of public IP's to internal host on ESXi Appliance

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    17 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aasimbeck
      last edited by

      @KOM:

      Before I can answer, you have to realize that for this to work then pfSense will have to become your primary firewall/router.  You didn't answer my previous questions so I don't really know what's going on with your network.  If you have another firewall/router between your cablemodem and pfSense then you have a double NAT config that won't work as you expect.

      The usual configuration would be to use your ESXi box's NICs as the pfSense WAN and LAN.  Plug the WAN NIC into your cablemodem.  Plug the LAN NIC into your physical switch and connect your desktops to that switch.  Create equivalent vSwitches for WAN and LAN and map your pfSense WAN and LAN interfaces to it.  Create a vSwitch called DMZ or whatever, connect it to no NIC, add it as a DMZ interface in pfSense and move the CentOS box to that network so you can segment it away from your LAN.  Then you can create your VIPs and NATs, and map the NATs to the VIPs you want.

      Sorry, I did neglect to answer that. I am using PFsense as my primary.

      I have fiber, it hands off into a Juniper Switch. From there it connects to PFsense. PFsense is handling DHCP, Firewall, NAT, etc. It is the edge device for my network, and the only routing device.

      Would you mind showing me a few screenshots of your config?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Here is a screen from my host that handles pfSense.  pfSense's WAN is connected to Internet (vSwitch3), and LAN connect to LAN (vSwitch1).

        vmware-networking.png
        vmware-networking.png_thumb

        1 Reply Last reply Reply Quote 0
        • A
          aasimbeck
          last edited by

          @KOM:

          Here is a screen from my host that handles pfSense.  pfSense's WAN is connected to Internet (vSwitch3), and LAN connect to LAN (vSwitch1).

          Ok, the only difference that I have is PFSense is a hardware appliance. I do not have it virtualized.

          WAN –> PFSENSE --> LAN
                                      --> OPT1 (That I intend on passing those virtual IP's through to CentOS)

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            I find pfSense so much better to manage virtually than physically.

            1 Reply Last reply Reply Quote 0
            • A
              aasimbeck
              last edited by

              Once these IP's are assigned under virtual IPs, would my NAT Mappings be 1:1? What will the gateway and netmask be on each IP once they're assigned in my CentOS box?

              Thanks

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                would my NAT Mappings be 1:1?

                Could be, but if you just want to open a port or two then a more specific port forward will do.

                What will the gateway and netmask be on each IP once they're assigned in my CentOS box?

                Gateway would be the IP address of the pfSense interface it's connected to, netmask is usually /24 (255.255.255.0) on a small LAN.

                1 Reply Last reply Reply Quote 0
                • A
                  aasimbeck
                  last edited by

                  Ok,
                  So my PFsense installation is not virtual. It is a physical deployment.

                  I have three NIC's. 1 is the WAN to the Fiber Carrier, the other is the LAN for my office network, and the last is unused right now.

                  I need to pass as many usable IP's from a statically routed /29 range to the NIC on my WebServer which is CENTos virtualized on ESXi

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    This was your original requirement, correct?  So what have you done and what result did you get?  I believe I've already told you everything you need to know to get this working.  Create your Virtual IPs and then either create a port-forward or 1:1 NAT to your CentOS box.  Boom, done.

                    1 Reply Last reply Reply Quote 0
                    • A
                      aasimbeck
                      last edited by

                      @KOM:

                      This was your original requirement, correct?  So what have you done and what result did you get?  I believe I've already told you everything you need to know to get this working.  Create your Virtual IPs and then either create a port-forward or 1:1 NAT to your CentOS box.  Boom, done.

                      Yes, here is a screenshot of the configuration of the Virtual IP Assignment.

                      My confusion is at the 1:1 NAT. I do not want to assign a LAN IP to this. I simply want to pass the usable IP's that are statically routed to my through my ISP.

                      Thanks

                      ![Screen Shot 2017-02-22 at 3.57.43 PM.png](/public/imported_attachments/1/Screen Shot 2017-02-22 at 3.57.43 PM.png)
                      ![Screen Shot 2017-02-22 at 3.57.43 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-22 at 3.57.43 PM.png_thumb)

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        A port-forward / 1:1 NAT must be mapped to something.  In your case you would map it to the local IP of the CentOS box.  That's how it works.  And as I mentioned earlier, if you're uncomfortable forwarding traffic to a host on your LAN, then create a DMZ via new interface or VLAN and move your CentOS box there.

                        1 Reply Last reply Reply Quote 0
                        • A
                          aasimbeck
                          last edited by

                          @KOM:

                          A port-forward / 1:1 NAT must be mapped to something.  In your case you would map it to the local IP of the CentOS box.  That's how it works.  And as I mentioned earlier, if you're uncomfortable forwarding traffic to a host on your LAN, then create a DMZ via new interface or VLAN and move your CentOS box there.

                          Ok, so I will run a physical ethernet cable between my OPT1 interface and a physical interface on my ESXi Server. I'll assign that interface to CENTOS within the ESXI Controller.

                          What will my configuration look like in PFsense?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.