NAT Between Public Static WAN IP and LAN IP
-
Hello,
I've been encountering a problem with my pfSense setup for a while now, and after spending weeks looking around online was not able to find a solution. I think I have a somewhat weird/unideal setup, which might be part of the problem.
I have a gateway (Technicolor C2100T with Centurylink) with a static IP address (referred to by 60.x.x.110). I also lease an extra small block of static IP addresses from Centurylink - 60.x.x.105-109 are usable, and there is also 60.x.x.111 which is a broadcast IP, and x.x.x.104 which has some other role. I recently set up a pfSense box (hosted in a Watchguard Firebox x1250e) in order to play with pfSense, firewalls, and NAT and try to get some more experience in using them. My current setup looks like this:
Centurylink gateway (C2100T, public IP 60.x.x.110, internal IP 10.0.2.1) –> pfSense firewall (WAN IP 10.0.2.2 with gateway of 10.0.2.1, DCHP --> LAN IP 10.0.0.2) --> 10.0.0.X subnet of servers/desktops
I'm fairly sure that this probably isn't a great way to handle this setup, and that the current centurylink gateway should be in bridge mode so that pfSense can handle the actual routing. However, I wasn't sure how to accomplish that while also giving the ability to use my public/static IP addresses on servers within my networks, and I host a couple services from my network which I would really prefer to not be down for the time it would take me to switch it to bridge mode and get everything set up and working on pfSense.
Currently, all I have to do to use the static IP addresses is set them on any of my machines (IP of 60.x.x.105-109, subnet of 255.255.255.248(/29), and gateway of 60.x.x.110), which obviously doesn't work when the firewall is in the way. I've been trying to set up virtual IPs on the firewall with those static IP addresses, so that I can use 1:1 NAT to make them accessible outside of my network. So far that hasn't worked. I have a test IP address set up as a virtual IP, with the IP address 60.x.x.109, subnet /29 (like in previous working setup) on the WAN interface, and strangely, it can ping external hostnames (google.com worked), but not the 60.x.x.110 gateway address. I also cannot ping the 60.x.x.109 virtual IP from either within or outside of my network, even after setting up 1:1 NAT to go from the 60.x.x.109 to an internal address (10.0.0.241).
Is there something I missed during this setup? I was hoping it would be somewhat simple to get these public IPs set up and working, but so far it has been out of my reach. Would it be easier and faster to just switch the Centurylink router into bridge mode to remove a layer of complexity?
Thanks!
![Untitled Diagram.jpg](/public/imported_attachments/1/Untitled Diagram.jpg)
![Untitled Diagram.jpg_thumb](/public/imported_attachments/1/Untitled Diagram.jpg_thumb)
![pfSense VIP.PNG](/public/imported_attachments/1/pfSense VIP.PNG)
![pfSense VIP.PNG_thumb](/public/imported_attachments/1/pfSense VIP.PNG_thumb) -
Hi, Zindarato:
That's a lot of NAT. You don't need so much NAT with CenturyLink. I've got a very similar setup, but with a different modem. Fortunately CL designed the UI for their modems, so it doesn't much matter which brand or which model. The only real difference in the UI is that some options may be missing for some models.
CL's modems are massively complex. They're designed to do everything any homeowner or small business owner might possibly want to do, and it's all enabled by default. Personally, I just want it do do one thing–translate between DSL and Ethernet. We swapped modems today and I now have a Zyxel C3000Z and holy crap! I'm still not sure it's configured 100% correctly, but it works for me and it works for my hosting customers.
CL likes PPPoE, at least in my neighborhood. This complicates things and uses up a public IP address. And there's nothing in the setup that explicitly says my other public IP addresses will appear on the Ethernet side of the modem, but they do for me. This is what I've done.
First, the modem's admin IP address (on the Ethernet side) is 192.168.0.1 and I don't see anyway to change it (which is a good thing). So with the pfSense firewall between the modem and my internal networks I cannot use the 192.168.0.0/24 network or I'd never see the modem. In pfSense under "Interfaces / WAN" I've got "Block private networks and loopback addresses" checked. Traffic to/from the modem gets through anyway. No worries, CL will drop any of those packets that manage to leak past the modem.
The necessary modem magic seems to be in the "Advanced Setup" section. I've attached a cropped screenshot of mine (advanced_settings_menu.png).
Start with "WAN Settings" shown in the other screenshot (WAN_settings.png). The magic is in section 3. We both have a 3-bit block of public IP addresses. Mine is 71.x.x.112/29, yours is 60.x.x.104/29. I think of them as the 0th address through the 7th address. Of course 0th and 7th are not usable. The 0th address is the network address and used when you want to refer to the whole block (with the /29 to show block size). The 7th is the broadcast address. CL likes to see the 6th address used for the modem (mine is 71.x.x.118 while yours is 60.x.x.110), which leaves 1st through 5th for us to use. I've arbitrarily chosen my 1st address for pfSense's WAN interface, and of course I've had to tell pfSense the gateway is the modem's address. I'm not sure I need "LAN DHCP Addressing" set the way I have it. And since the modem is not getting it's settings from CL's DHCP server (CL doesn't roll that way) I have to set the DNS servers in section 4. I think the router is bridging by the simple fact that I've told it that it has a "Block of Static IP Addresses".
Going back to menu screenshot work your way down the list.
-
Dynamic DNS – don't need it with static IPs
-
DHCP Settings – don't need or want DHCP on the network between the modem and the pfSense box -- so disable it.
-
DHCP Reservation & DNS Host Mapping & LAN Subnets – either ignored (because DHCP is off), or pfSense can do it better -- disable if you've previously enabled anything.
-
Remote GUI & Remote Console – I keep mine turned off.
-
Routing – pfSense (and another router behind the modem) do all the routing I need. However CL says: "Dynamic Routing can be used if a gateway is set up behind the modem." Of course their explanation is obtuse, but I think they mean another gateway to the Internet.
-
Application Forwarding & Port Forwarding – as near as I can tell, these do exactly the same thing (either based on a name, or on numbers). However with a block of public IP addresses I don't need or want this -- so I leave it disabled.
-
DMZ Hosting – more advanced magic that pfSense does better -- leave it disabled.
-
IPv4 Firewall & IPv6 Firewall – kill it with fire now! Lest it confuse the heck out of you later when you can't figure out why your pfSense rules are not letting people connect to your severs. The proper setting is "Security Level: Disabled"
-
NAT – disabled. We want public addresses on both sides of the router, and pfSense will do all the NAT (and filtering) we could possibly stand. Did get a popup of death telling me I'd get hacked if I disabled it, but the only thing between modem and pfSense is the modem's configuration interface, which lives on Ethernet and only responds to 192.168.0.1, so no way someone can connect from anywhere but from behind the pfSense box. Still, I think if it were enabled it probably wouldn't do squat. It's only going to NAT 192.168.0.0/24.
I've also turned off the radio for WiFi (both bands). It's outside the pfSense box so it's kinda worthless.
pfSense
Set the WAN interface to one of your remaining public IP addresses (1st through 5th). In "Firewall / Virtual IPs" tell it about the remaining public IP addresses. However I've left one spare. While troubleshooting it's kinda nice to be able to plug directly into that network between modem and pfSense box, so you can see what the public sees when they look in from the outside. In my case it's 1st address for pfSense WAN, 2nd, 3rd, and 4th for virtual IPs, and 5th left open (for now) for debugging.
From here you can do bridging, 1:1 NAT, or whatever else works. I've found that while port forwarding can be pinned down to a virtual IP, it's sometimes problematic. I run VR worlds that keep a heartbeat with a metaserver. The metaserver gets the world server's IP and port, then advertises that to the clients (people & bots). When the world server initiates a connection, the NAT used with port forwarding sends the connection out on the WAN IP, except port forwarding is listening on a virtual IP (not pfSense's fault, what else is it supposed to do?). However 1:1 NAT nails all traffic between a virtual IP and a DMZ address together. Can't get 1:1 NAT to reflect properly though, but I haven't tried setting my virtual IPs using CARP. That might work.
Best of luck and let us know how it's worked out.
-
-
Thank you so much, that information is extremely helpful! I'll be attempting to make those changes when I get back home later in the evening, and I'll post back to say whether I got it working or not. Great to hear from someone else who has a similar setup! I'm still amazed and thrilled that Centurylink actually offers static IP addresses to residential customers, I previously had Comcast and they absolutely refuse to do the same.
-
I started DSL (1 Mbps symmetric) and static IPs back in '99 and paid a fortune. Used CenturyLink (US West in those days) for the DSL and another local ISP for the IPs and connection to the internet (transparent bridging through a little Cisco modem). A few years later switched to CL (US W, or maybe Qwest by then) for everything. To get the the static block from them I was also compelled to buy professional support, an extra $15 per month. Had a different phone number than regular support. No menu. Phone would ring once, maybe twice, and a 2nd tier tech would say "Hello." It was awesome. Yesterday the support lady said I could still buy professional support for $15 a month.
-
Thanks so much for the help! I've replicated your exact setup, but unfortunately I'm still having problems and I don't know why.
When you said you pointed your pfSense WAN interface to the router/modem for the gateway, did you point it to the 192.168.0.1 address or the public IP address (71.x.x.x in your case)? I've actually tried it both ways (with my interface assigned 60.x.x.109), but I'm not able to ping any IP address, and DNS doesn't resolve. It is plugged directly in to the router, so its confusing to me that it doesn't work.
When I set the router up with DHCP and give pfSense DHCP assigned address, it works fine. It also works if I set a static IP on pfsense, as long as its the same subnet as the router/modem (10.0.2.1 in my case).
Any other ideas as to why it still wouldn't be working?
Maybe I should also look into pro support! It would be handy to have, especially at that low of a price. What speeds are you currently getting? The best CL had in my area was 80/40, which is decent (especially for upload), but I wish they had fiber in my area.
Thanks so much!
-
I have discovered my problem! I still don't fully understand why, but apparently using LAN subnets on the modem/router breaks public IP assignment. I had set up my pfSense interface on a particular LAN subnet that was different from the modem/router's default interface. Once I removed that special subnet and switched the gateway for pfSense's interface to the new IP address, everything worked correctly! Thanks for your help!
-
I had set up my pfSense interface on a particular LAN subnet that was different from the modem/router's default interface.
Yep, that would do it. You can't have the same subnet on both sides of a router.