Help with putting PfSense in frount of 8 static IP (public)

JKnott

10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

mlsbraves

@JKnott:

10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet.

To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.

kpa

@JKnott:

10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

We don't know that yet because the OP hasn't provided any more details of the actual setup. The simplest case would be that the block of IP addresses is routed to his pfSense (the most sensible  option) but if it just happens that his ISP is not providing a proper business level service he might get the block terminated at the cable modem.

kpa

@mlsbraves:

To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.

Excuse me but you're out of your depth here. Port forwarding doesn't imply that you give up the access control provided by the packet filtering on your hardware firewall. If you have a pfSense sitting between the server and the internet you can do both port forwarding and packet filtering at the same to a very great precision.

JKnott

Excuse me but you're out of your depth here.

No, I'm not out of my depth.  Why use NAT when you don't have to?  What does it bring, other than added complexity?  NAT was created to get around an IPv4 address shortage.  However, it's become so ingrained that a lot of people seem to think it brings some benefit beyond that.

The "firewall" function of NAT is due to it's stateful (necessary to keep track of the connections) nature, just like a regular stateful firewall.

kpa

I wasn't replying to you Jknott.

mlsbraves

Port forwarding doesn't imply that you give up the access control provided by the packet filtering on your hardware firewall.

Maybe I'm misreading something here. Where did I imply that Port Forwarding gave up the control to packet filter?

Derelict

@mlsbraves:

@JKnott:

10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet.

To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.

Again, to quote from above, absolute rubbish.

Just because an inside host has a public, routable IP address does not mean the firewall has to pass any any any to that host.

You make a firewall rule on WAN that passes 80/443 to that host. Everything else will be blocked.

This is NO DIFFERENT that what is done when using NAT, except without the abomination that is NAT. (Yes, NAT has its valid uses but they are almost always to overcome some deficiency in network design and it is hopefully just a temporary patch).

detox

mlsbraves -

Thanks for the example!  I have a few questions based on this.
My questions will start with " -> "

Internet Connection with 5 static IPs
ISP Gateway: 10.0.0.1
ISP Usable: 10.0.0.2 - 10.0.0.6

Configure the WAN with 10.0.0.2 /29

->  This would have a netmask of 255.255.255.248 and 6 hosts
    Why this and not a /24?  Does this create better security?

Now you also want to use all the other IPs so I would create a VIP for each of those IPs.

->  VIP =  Virtual IP?  Created in Pfsense correct?

Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet. You can use a different IP for each webserver and you can point your domain to the respective IP.

Example
10.0.0.2 = pfSense WAN IP (You can still use this IP for other services as well)

->  Glad to know I do not lose this, that it can be used as well

10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
-> single server with specific ports open

10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)
-> single server with specific ports open

10.0.0.5 = FreeNas server (Up to you if you want to open this up but I would look into VPN)
-> I need to learn more about VPN before I do this.  Yes I agree would be better

10.0.0.6 = router servicing multiple local users (Not sure what you mean by this)
->  This public IP will have a router connected for all staff in building (approx 8 and up to 20 on some days)

You can use the same IP with different ports for other services so you may not need to even use 5.

->  I plan on using equipment in this order:

Web - cable modem

cable modem - PfSense box (Netgate SG-4860)

PfSense - 24 port Ubiquiti Edgeswitch Lite

Edgeswitch - direct connect to servers
                  - attach at least 1 router (IP 10.0.0.6) for staff in building

Thanks again for your help!

Derelict

You are keying on the statements of the poster who doesn't seem to have a complete grasp of the problem at-hand.

Is your public subnet routed or is it simply a network on the WAN interface itself?

It matters.

detox

Derelict …..

According to Suddenlink, all the static IP's I will be issued are class C  /24

Thanks

JKnott

^^^^
IP classes have been obsolete for many years.  You can have a /24 block anywhere in the address space.  With address classes, a class C network could only be found between 192.0.0.0 and 224.0.0.0.

Derelict

@detox:

Derelict …..

According to Suddenlink, all the static IP's I will be issued are class C  /24

Thanks

So on the interface itself in a larger subnet than your allocation.

There is no good way to put those addresses directly on servers.

I would 1:1 NAT in that case.

Or I would ask for a routed subnet to an address on that /24.