Multi-Static IP configuration using bridged Hitron
-
Hi all,
I've just had installed a Hitron router, currently operating in bridge mode, for my Virgin Media Business connection. My assigned address block is 62.x.x.176-183. The Hitron router is sat on .177, leaving .178-183 as my usable address space. pfSense is currently configured on it's WAN port to a static ipv4 at .178 and I have outbound traffic working fine.
My question is, how can I port-forward inbound requests to, say, a webserver on .180 via pfSense sat at .178? Should pfSense use something other than a static IP to talk to the Hitron (PPPoE? - not sure if even supported by the Hitron). Could I put the WAN adaptor in promiscuous mode to capture any packets appearing from the Hitron?
Thanks!
Richard.
-
How many devices do you have on the LAN? If no more than 6, you don't need NAT, which means you don't port forward. You just route. BTW, .183 is not usable. It's the local broadcast address. On IPv4, the number of usable addresses is the block size - 2, to allow for network and broadcast. In your case it's 8 - 2 =6
-
Pop the webserver the other side of the firewall and do a 1:1 NAT.
https://doc.pfsense.org/index.php/1:1_NAT
What subnet mask is on the WAN interface 255.255.255.248 aka /29 ?
-
Pop the webserver the other side of the firewall and do a 1:1 NAT.
https://doc.pfsense.org/index.php/1:1_NAT
What subnet mask is on the WAN interface 255.255.255.248 aka /29 ?
Yes, that's the subnet mask on the WAN interface. The webserver / mailserver / etc. are virtualised, so am not sure how simple / possible that would be?
-
How many devices do you have on the LAN? If no more than 6, you don't need NAT, which means you don't port forward. You just route. BTW, .183 is not usable. It's the local broadcast address. On IPv4, the number of usable addresses is the block size - 2, to allow for router and broadcast. In your case it's 8 - 2 =6
Yes, there are perhaps < 5 (virtual) devices I need to route traffic to on the LAN. And, yes, I remember now being told .183 was broadcast! Coming from a home router background, I only know port forwarding, so will have to have a read up on how one might route the traffic instead - does that mean the internal devices need to be allocated public IP addresses?
-
You'll need to NAT.
Create some form of DMZ put the server there and 1:1 NAT or port forward using your WAN address to the host sat in the DMZ, but you'll need to change the ports pfSense runs on System -> Advanced -> Admin Access
-
You'll need to NAT.
Why?? If he has enough addresses in his subnet, there's absolutely no reason to use NAT and reasons why not to use it. He has 6 addresses available and no more than 5 devices.
-
You'll need to NAT.
Why?? If he has enough addresses in his subnet, there's absolutely no reason to use NAT and reasons why not to use it. He has 6 addresses available and no more than 5 devices.
The address space he wants to use is sat on the WAN side of pfSense, the WAN interface has a /29 subnet mask.
If you NAT the public IP address to a private one you can control what services can hit the end device.
-
You'll need to NAT.
Why?? If he has enough addresses in his subnet, there's absolutely no reason to use NAT and reasons why not to use it. He has 6 addresses available and no more than 5 devices.
The address space he wants to use is sat on the WAN side of pfSense, the WAN interface has a /29 subnet mask.
If you NAT the public IP address to a private one you can control what services can hit the end device.
He said:
My assigned address block is 62.x.x.176-183
That means he has a block of 8 addresses, 6 usable. A /29 mask means 8 addresses. The ISP will route traffic for his addresses to his WAN interface and pfSense will filter appropriately. This is basic networking. Bottom line, addresses in this 62.x.x.176 /29 subnet is what pfSense had to deal with. This is not the same as where someone has a single IPv4 address that has to be shared via NAT.
It amazes me how much people's thinking has been poisoned by NAT being used so much, to the point they fail to understand how things really work. NAT is a hack to get around the IPv4 address shortage and nothing more.
-
You'll need to NAT.
Why?? If he has enough addresses in his subnet, there's absolutely no reason to use NAT and reasons why not to use it. He has 6 addresses available and no more than 5 devices.
The address space he wants to use is sat on the WAN side of pfSense, the WAN interface has a /29 subnet mask.
If you NAT the public IP address to a private one you can control what services can hit the end device.
He said:
My assigned address block is 62.x.x.176-183
That means he has a block of 8 addresses, 6 usable. A /29 mask means 8 addresses. The ISP will route traffic for his addresses to his WAN interface and pfSense will filter appropriately. This is basic networking. Bottom line, addresses in this 62.x.x.176 /29 subnet is what pfSense had to deal with. This is not the same as where someone has a single IPv4 address that has to be shared via NAT.
It amazes me how much people's thinking has been poisoned by NAT being used so much, to the point they fail to understand how things really work. NAT is a hack to get around the IPv4 address shortage and nothing more.
So explain where this host is going to sit if he want's it to be accessible via a public IP address ?
He also mentioned "Yes, that's the subnet mask on the WAN interface."
-
The piece of information missing here is where is this IP block terminated, in other words what is the target IP address for this /29 block. It looks very much like it's terminated at the ISP router but it's not completely clear. If it was routed to his pfSense he could just use that block on his LAN/OPTx network. If not and his ISP can't/doesn't want to change the arrangement then there is no other option than to use VIPs and NAT.
-
How is this any different from what I do on IPv6? I get a /56 prefix from my ISP. PfSense filters it according to the rules and can even split that /56 into multiple /64s on various interfaces. This is exactly the same thing, other than the much smaller address space. His ISP delivers 62.x.x.176 /29 to him. PfSense then passes those addresses onto the LAN, without NAT and without even routing. All it has to do is filter the traffic. Just imaging him directly connecting his network to the ISP, without pfSense. Those addresses would be available to use as is. PfSense, as a firewall, simply protects his network, without having to do any NAT or even routing. As he mentioned, his modem is in bridge mode, with the /29 provided to him.
While I don't know the specific capabilities pfSense has in this regard, pass through firewalls, that do not do NAT or route are common in businesses, in exactly the same situation as the OP has. That is filter the traffic and do nothing else.
-
How is this any different from what I do on IPv6? I get a /56 prefix from my ISP.
He's just got a single IPv4 subnet from his ISP and the /29 is allocated to his WAN interface, so there's no choice other than to NAT public to private.
Check out page 220 of the pfSense book, the Example Single IP Address 1:1 Configuration section.
-
I quote what he wrote in his first message:
My assigned address block is 62.x.x.176-183. The Hitron router is sat on .177, leaving .178-183 as my usable address space
That's the "LAN" side of his Hitron router and that alone tells me that his ISP is not forwarding the /29 any further and the block is in fact terminated at the Hitron.
Just because you're given a subnet doesn't mean that your ISP is doing the right thing and forwarding the block to your own router, they will more often than not just give you their own router configured exactly as this Hitron here.
-
@kpa:
The piece of information missing here is where is this IP block terminated, in other words what is the target IP address for this /29 block. It looks very much like it's terminated at the ISP router but it's not completely clear. If it was routed to his pfSense he could just use that block on his LAN/OPTx network. If not and his ISP can't/doesn't want to change the arrangement then there is no other option than to use VIPs and NAT.
The OP says:
I've just had installed a Hitron router, currently operating in bridge mode, for my Virgin Media Business connection. My assigned address block is 62.x.x.176-183. The Hitron router is sat on .177, leaving .178-183 as my usable address space.
I suspect the .177 is not the router, but the ISP's gateway address.
-
@kpa:
The piece of information missing here is where is this IP block terminated, in other words what is the target IP address for this /29 block. It looks very much like it's terminated at the ISP router but it's not completely clear. If it was routed to his pfSense he could just use that block on his LAN/OPTx network. If not and his ISP can't/doesn't want to change the arrangement then there is no other option than to use VIPs and NAT.
I'm away from the hardware in question, so this is from memory, but…
The Hitron router uses a GRE tunnel to route traffic from itself to what I believe is the Virgin Media data centre. The target IP address is, I think 62.x.x.176 (at the far end of the tunnel), with the Hitron sat on .177.
.178-182 are my 5 IP address I've been allocated and .183 would be the broadcast address, as mentioned above. I don't know if this gives you any useful info. There's a mini-thread discussing the setup here http://community.virginmedia.com/t5/QuickStart-set-up-and/Configuring-5x-Static-IP-s/td-p/3355880
-
@kpa:
I quote what he wrote in his first message:
My assigned address block is 62.x.x.176-183. The Hitron router is sat on .177, leaving .178-183 as my usable address space
That's the "LAN" side of his Hitron router and that alone tells me that his ISP is not forwarding the /29 any further and the block is in fact terminated at the Hitron.
Just because you're given a subnet doesn't mean that your ISP is doing the right thing and forwarding the block to your own router, they will more often than not just give you their own router configured exactly as this Hitron here.
What the OP could do is check the MAC address for that .177 address. If it doesn't match the sticker on the modem, it's the ISPs router.
-
The target IP address is, I think .62.x.x.176 (at the far end of the tunnel), with the Hitron sat on .177.
What address do they give you for your default route?
-
https://www.virginmediabusiness.co.uk/help-and-advice/products-and-services/hitron-router-guide/dynamic-modem-only-mode-user-guide/
They state that once in modem mode only 1 network port will work at a time.
-
The target IP address is, I think .62.x.x.176 (at the far end of the tunnel), with the Hitron sat on .177.
What address do they give you for your default route?
When setting up a laptop plugged into one of the Hitron LAN ports to test connectivity, they suggested an IP address of 62.x.x.178, a netmask of 255.255.255.248 and a Default GW of 62.x.x.177
