Public IPs on lan
-
Your ISP should not be putting the 37.19.126.160/27 network as a secondary on the same interface.
They should be routing 37.19.126.160/27 to you on an address on 37.19.125.48/28.
If they do that everything will work fine.
-
Hey,
This Not the subnets of my ISP.
The subnet of my ISP is above in the first post.When i disable NAT and created VIP for the public ip i can ping from outside but i do not have internet from internal.
What i missing here? -
Right I was just correcting it.
They should not be adding the /27 as a secondary network on the WAN interface. They should be routing it to you instead.
If they were routing it they would not be giving you a gateway address for it.
-
Oh, sorry, I confused you.
I set up the IP of the WAN and the LAN.My situation is like this.
I have 2 subnets.
One -
37.19.126.164-190
GW: 37.19.126.163
SN: 255.255.255.224The second -
37.19.125.52-62
255.255.255.240 GW
37.19.125.51 SNThey are all routed to me through one cable that reaches my WAN port.
I want to use these external addresses on the servers behind the pfsense.
I read that I need to turn off the NAT and create a VIP, that's what I did and I manage to do PING server but from the server I have no internet out.What else do I need to do?
Would appreciate help. -
This is the difference:
From the ISP's perspective:
Not good:
interface GigabitEthernet0/0
ip address 37.19.125.49 255.255.255.240
ip address 37.19.126.163 255.255.255.224 secondaryGood:
interface GigabitEthernet0/0
ip address 37.19.125.49 255.255.255.240ip route 37.19.126.160 255.255.255.224 37.19.125.52
If they are routing it you do not need to assign VIPs or anything. You just address the inside interface properly and disable NAT.
If you do not have ANY VIPS from the second network on your WAN interface and you packet capture and do something like ping an address on the secondary network from the outside you will see one of two things:
The ISP does an ARP request for the address - this means they have configured you the Not good way.
The ICMP echo request will arrive on the WAN interface with the address on the secondary network as the destination address and your router's WAN MAC address as the destination MAC address. This means it is routed to you and you can proceed.
-
Ok, I can do ping to second subnet.
I can do ping to 165 (The server).
But i can't do ping or else from the server…
Is it related to ISP? -
You are not providing enough information.
I have no idea what the 165 server is. Please be complete and specific.
-
See the pictures
-
Right. Delete the Virtual IP and do the test I described above. Pinging the VIP address from the outside is pinging the VIP address, not the inside server at all.
If they ARP for it, you will have nothing but problems.
If they send the traffic to your WAN MAC address addressed to the .165 address it can be made to work.
-
Okay I understand.
Thank you so much for help! -
To expose specific internal servers to the outside, people either place them in the DMZ, or use port forwarding. Turning off NAT is just a foreign concept… NAT is your firewall, you want to bypass the firewall and expose your internal to the outside world? Plus unless you purchased an IP for EACH of your clients, the NAT is there so that you can have more clients than purchased static WAN IP.
if this is what u want anyway, never mind, I am no help.
