Public IPs on lan

drorzeno

Hey,

I have 2 subnets from ISP and one WAN connections.
I want the servers on the lan can accpet the public IPs direct.

The subnet 1:
IPs - 37.19.125.52-62
subnet - 255.255.255.240

The subnet 2:
37.19.126.164-190
GW: 37.19.126.163
SN: 255.255.255.224

the wan IP is 37.19.125.53
the lan IP is 37.19.126.164.

I tried with NAT and etc and i can't setup this work…

Please help, Thank you!

JKnott

First off, if you have public addresses, you don't use NAT. NAT was created to get around the IPv4 address shortage, by allowing multiple devices to share one address. Since you have a subnet, you don't need NAT. Also, if you have subnet 1 available, why is the WAN address within it. Do you actually want 2 IPv4 subnets on the same LAN, without benefit of VLANs etc.?

drorzeno

Hey,
First, thank you for your response.
I really want to use VLANs but currently does not work for me without VLANs at all ..
Once I turn off the NAT I have no access to the world and vice versa.

What can you advise me about the WAN IP address?
I also want to separate addresses in VLANS and even create virtual subnet.
For example - 37.19.126.164-190 become
To 37.19.126.169/29
And 37.19.126.177/28

Derelict

Your ISP should not be putting the 37.19.126.160/27 network as a secondary on the same interface.

They should be routing 37.19.126.160/27 to you on an address on 37.19.125.48/28.

If they do that everything will work fine.

drorzeno

Hey,
This Not the subnets of my ISP.
The subnet of my ISP is above in the first post.

When i disable NAT and created VIP for the public ip i can ping from outside but i do not have internet from internal.
What i missing here?

Derelict

Right I was just correcting it.

They should not be adding the /27 as a secondary network on the WAN interface. They should be routing it to you instead.

If they were routing it they would not be giving you a gateway address for it.

drorzeno

Oh, sorry, I confused you.
I set up the IP of the WAN and the LAN.

My situation is like this.
I have 2 subnets.
One -
37.19.126.164-190
GW: 37.19.126.163
SN: 255.255.255.224

The second -
37.19.125.52-62
255.255.255.240 GW
37.19.125.51 SN

They are all routed to me through one cable that reaches my WAN port.

I want to use these external addresses on the servers behind the pfsense.
I read that I need to turn off the NAT and create a VIP, that's what I did and I manage to do PING server but from the server I have no internet out.

What else do I need to do?
Would appreciate help.

Derelict

This is the difference:

From the ISP's perspective:

Not good:

interface GigabitEthernet0/0
ip address 37.19.125.49 255.255.255.240
ip address 37.19.126.163 255.255.255.224 secondary

Good:

interface GigabitEthernet0/0
ip address 37.19.125.49 255.255.255.240

ip route 37.19.126.160 255.255.255.224 37.19.125.52

If they are routing it you do not need to assign VIPs or anything. You just address the inside interface properly and disable NAT.

If you do not have ANY VIPS from the second network on your WAN interface and you packet capture and do something like ping an address on the secondary network from the outside you will see one of two things:

The ISP does an ARP request for the address - this means they have configured you the Not good way.

The ICMP echo request will arrive on the WAN interface with the address on the secondary network as the destination address and your router's WAN MAC address as the destination MAC address. This means it is routed to you and you can proceed.

drorzeno

Ok, I can do ping to second subnet.
I can do ping to 165 (The server).
But i can't do ping or else from the server…
Is it related to ISP?

Derelict

You are not providing enough information.

I have no idea what the 165 server is. Please be complete and specific.

drorzeno

See the pictures

lan.JPG_thumb

wan.JPG_thumb

outbound.JPG_thumb

vip.JPG_thumb

pingToServer.JPG_thumb

serverToOut.JPG_thumb

Derelict

Right. Delete the Virtual IP and do the test I described above. Pinging the VIP address from the outside is pinging the VIP address, not the inside server at all.

If they ARP for it, you will have nothing but problems.

If they send the traffic to your WAN MAC address addressed to the .165 address it can be made to work.

drorzeno

Okay I understand.
Thank you so much for help!

SammyWoo

To expose specific internal servers to the outside, people either place them in the DMZ, or use port forwarding. Turning off NAT is just a foreign concept… NAT is your firewall, you want to bypass the firewall and expose your internal to the outside world? Plus unless you purchased an IP for EACH of your clients, the NAT is there so that you can have more clients than purchased static WAN IP.

if this is what u want anyway, never mind, I am no help.