Help with putting PfSense in frount of 8 static IP (public)

JKnott

You should only NAT through the traffic

NAT is a hack to get around the IPv4 address shortage.  As for security, it does nothing that a properly configured firewall can't do.  With a firewall, you normally start with everything blocked and then open only what you need.  How is that any different than setting up port forwarding through NAT?  There are also problems with NAT, in that it breaks some protocols.

With the move to IPv6, there is no need for NAT, as there are plenty of addresses to go around.  This means you just configure the firewall as appropriate and not worry about port forwarding etc..

BTW, on IPv6, the smallest prefix an ISP supposed to provide, /64, contains 18.4 billion, billion addresses!  No need for NAT.

mlsbraves

@detox:

I am getting a block of 8 (eight) static IP's for work. ( I am at a non-profit agency)  from my internet provider and am clueless on how to put pfsense between these and the cable modem.

When you request static IPs from your ISP they will ask how many you need and assign you the correct block that you need. You can't get 8 usable IPs but you can get 13. Typically, small businesses get a /30 (1 usable), /29 (5 usable), or /28 (13 usable). You can use an online subnet calculator that will help you better understand this and give you all the CIDR and subnet info you need. Check out http://www.subnet-calculator.com/

@detox:

As an example, the 8 static ip's will be 1-8 and will be serving various functions (again this is example)
IP 1 = webserver
IP 2 = webserver
IP 3 = FreeNas server
IP 4 = router servicing multiple local users
IP 5 = router servicing multiple local users

etc.

So can someone tell me how to do this?

I could build 8 PfSense boxes ( 1 for each public IP) connecting all PfSense boxes to unmanaged switch then to cable modem but thought that would be silly

No need to have multiple boxes. You can use all those IPs through a single box any way you need. Here's an example from the information provided above:

Internet Connection with 5 static IPs
ISP Gateway: 10.0.0.1
ISP Usable: 10.0.0.2 - 10.0.0.6

Configure the WAN with 10.0.0.2 /29

Now you also want to use all the other IPs so I would create a VIP for each of those IPs.

Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet. You can use a different IP for each webserver and you can point your domain to the respective IP.

Example
10.0.0.2 = pfSense WAN IP (You can still use this IP for other services as well)
10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)
10.0.0.5 = FreeNas server (Up to you if you want to open this up but I would look into VPN)
10.0.0.6 = router servicing multiple local users (Not sure what you mean by this)

You can use the same IP with different ports for other services so you may not need to even use 5.

@detox:

Would I connect:  all static IP's (if multiple appliances using unmanaged switch)
                            to a  layer 3 switch using one port for each IP and activating dhcp
                            then the layer 3 switch to PfSense and out to the cable modem?

In the example above you only need to plug your cable modem directly into the WAN port of pfSense to use all your IPs. It will be up to you if you only need one LAN on the inside or would like to use multiple internal networks. If you using unmanaged switches than you will need a switch and a port on pfsense for each LAN. If you get a layer 2 switch than you only need one switch and one LAN port. I generally always put a webserver on a different network but it depends on your setup. Don't make you network topology more complex than it needs to.

JKnott

10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

mlsbraves

@JKnott:

10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet.

To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.

kpa

@JKnott:

10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

We don't know that yet because the OP hasn't provided any more details of the actual setup. The simplest case would be that the block of IP addresses is routed to his pfSense (the most sensible  option) but if it just happens that his ISP is not providing a proper business level service he might get the block terminated at the cable modem.

kpa

@mlsbraves:

To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.

Excuse me but you're out of your depth here. Port forwarding doesn't imply that you give up the access control provided by the packet filtering on your hardware firewall. If you have a pfSense sitting between the server and the internet you can do both port forwarding and packet filtering at the same to a very great precision.

JKnott

Excuse me but you're out of your depth here.

No, I'm not out of my depth.  Why use NAT when you don't have to?  What does it bring, other than added complexity?  NAT was created to get around an IPv4 address shortage.  However, it's become so ingrained that a lot of people seem to think it brings some benefit beyond that.

The "firewall" function of NAT is due to it's stateful (necessary to keep track of the connections) nature, just like a regular stateful firewall.

kpa

I wasn't replying to you Jknott.

mlsbraves

Port forwarding doesn't imply that you give up the access control provided by the packet filtering on your hardware firewall.

Maybe I'm misreading something here. Where did I imply that Port Forwarding gave up the control to packet filter?

Derelict

@mlsbraves:

@JKnott:

10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet.

To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.

Again, to quote from above, absolute rubbish.

Just because an inside host has a public, routable IP address does not mean the firewall has to pass any any any to that host.

You make a firewall rule on WAN that passes 80/443 to that host. Everything else will be blocked.

This is NO DIFFERENT that what is done when using NAT, except without the abomination that is NAT. (Yes, NAT has its valid uses but they are almost always to overcome some deficiency in network design and it is hopefully just a temporary patch).

detox

mlsbraves -

Thanks for the example!  I have a few questions based on this.
My questions will start with " -> "

Internet Connection with 5 static IPs
ISP Gateway: 10.0.0.1
ISP Usable: 10.0.0.2 - 10.0.0.6

Configure the WAN with 10.0.0.2 /29

->  This would have a netmask of 255.255.255.248 and 6 hosts
    Why this and not a /24?  Does this create better security?

Now you also want to use all the other IPs so I would create a VIP for each of those IPs.

->  VIP =  Virtual IP?  Created in Pfsense correct?

Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet. You can use a different IP for each webserver and you can point your domain to the respective IP.

Example
10.0.0.2 = pfSense WAN IP (You can still use this IP for other services as well)

->  Glad to know I do not lose this, that it can be used as well

10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
-> single server with specific ports open

10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)
-> single server with specific ports open

10.0.0.5 = FreeNas server (Up to you if you want to open this up but I would look into VPN)
-> I need to learn more about VPN before I do this.  Yes I agree would be better

10.0.0.6 = router servicing multiple local users (Not sure what you mean by this)
->  This public IP will have a router connected for all staff in building (approx 8 and up to 20 on some days)

You can use the same IP with different ports for other services so you may not need to even use 5.

->  I plan on using equipment in this order:

Web - cable modem

cable modem - PfSense box (Netgate SG-4860)

PfSense - 24 port Ubiquiti Edgeswitch Lite

Edgeswitch - direct connect to servers
                  - attach at least 1 router (IP 10.0.0.6) for staff in building

Thanks again for your help!

Derelict

You are keying on the statements of the poster who doesn't seem to have a complete grasp of the problem at-hand.

Is your public subnet routed or is it simply a network on the WAN interface itself?

It matters.

detox

Derelict …..

According to Suddenlink, all the static IP's I will be issued are class C  /24

Thanks

JKnott

^^^^
IP classes have been obsolete for many years.  You can have a /24 block anywhere in the address space.  With address classes, a class C network could only be found between 192.0.0.0 and 224.0.0.0.

Derelict

@detox:

Derelict …..

According to Suddenlink, all the static IP's I will be issued are class C  /24

Thanks

So on the interface itself in a larger subnet than your allocation.

There is no good way to put those addresses directly on servers.

I would 1:1 NAT in that case.

Or I would ask for a routed subnet to an address on that /24.