Passing block of public IP's to internal host on ESXi Appliance
-
@KOM:
Before I can answer, you have to realize that for this to work then pfSense will have to become your primary firewall/router. You didn't answer my previous questions so I don't really know what's going on with your network. If you have another firewall/router between your cablemodem and pfSense then you have a double NAT config that won't work as you expect.
The usual configuration would be to use your ESXi box's NICs as the pfSense WAN and LAN. Plug the WAN NIC into your cablemodem. Plug the LAN NIC into your physical switch and connect your desktops to that switch. Create equivalent vSwitches for WAN and LAN and map your pfSense WAN and LAN interfaces to it. Create a vSwitch called DMZ or whatever, connect it to no NIC, add it as a DMZ interface in pfSense and move the CentOS box to that network so you can segment it away from your LAN. Then you can create your VIPs and NATs, and map the NATs to the VIPs you want.
Sorry, I did neglect to answer that. I am using PFsense as my primary.
I have fiber, it hands off into a Juniper Switch. From there it connects to PFsense. PFsense is handling DHCP, Firewall, NAT, etc. It is the edge device for my network, and the only routing device.
Would you mind showing me a few screenshots of your config?
-
Here is a screen from my host that handles pfSense. pfSense's WAN is connected to Internet (vSwitch3), and LAN connect to LAN (vSwitch1).
-
@KOM:
Here is a screen from my host that handles pfSense. pfSense's WAN is connected to Internet (vSwitch3), and LAN connect to LAN (vSwitch1).
Ok, the only difference that I have is PFSense is a hardware appliance. I do not have it virtualized.
WAN –> PFSENSE --> LAN
--> OPT1 (That I intend on passing those virtual IP's through to CentOS) -
I find pfSense so much better to manage virtually than physically.
-
Once these IP's are assigned under virtual IPs, would my NAT Mappings be 1:1? What will the gateway and netmask be on each IP once they're assigned in my CentOS box?
Thanks
-
would my NAT Mappings be 1:1?
Could be, but if you just want to open a port or two then a more specific port forward will do.
What will the gateway and netmask be on each IP once they're assigned in my CentOS box?
Gateway would be the IP address of the pfSense interface it's connected to, netmask is usually /24 (255.255.255.0) on a small LAN.
-
Ok,
So my PFsense installation is not virtual. It is a physical deployment.I have three NIC's. 1 is the WAN to the Fiber Carrier, the other is the LAN for my office network, and the last is unused right now.
I need to pass as many usable IP's from a statically routed /29 range to the NIC on my WebServer which is CENTos virtualized on ESXi
Thanks
-
This was your original requirement, correct? So what have you done and what result did you get? I believe I've already told you everything you need to know to get this working. Create your Virtual IPs and then either create a port-forward or 1:1 NAT to your CentOS box. Boom, done.
-
@KOM:
This was your original requirement, correct? So what have you done and what result did you get? I believe I've already told you everything you need to know to get this working. Create your Virtual IPs and then either create a port-forward or 1:1 NAT to your CentOS box. Boom, done.
Yes, here is a screenshot of the configuration of the Virtual IP Assignment.
My confusion is at the 1:1 NAT. I do not want to assign a LAN IP to this. I simply want to pass the usable IP's that are statically routed to my through my ISP.
Thanks
 -
A port-forward / 1:1 NAT must be mapped to something. In your case you would map it to the local IP of the CentOS box. That's how it works. And as I mentioned earlier, if you're uncomfortable forwarding traffic to a host on your LAN, then create a DMZ via new interface or VLAN and move your CentOS box there.
-
@KOM:
A port-forward / 1:1 NAT must be mapped to something. In your case you would map it to the local IP of the CentOS box. That's how it works. And as I mentioned earlier, if you're uncomfortable forwarding traffic to a host on your LAN, then create a DMZ via new interface or VLAN and move your CentOS box there.
Ok, so I will run a physical ethernet cable between my OPT1 interface and a physical interface on my ESXi Server. I'll assign that interface to CENTOS within the ESXI Controller.
What will my configuration look like in PFsense?
