How to Configure 3 IP's & Internet Restriction????

stephenw10

Ok, how are you using the public IPs in the 180 subnet? Do you have services running on those?

I would put pfSense as close to the ISP connection as possible. It's not clear to me what the D-Link switch in the diagram is doing. I assume that's the ISP supplied L3 switch. It has one port in use for you to connect to, how is the incoming connection from the ISP connected?
If that is just Ethernet I would want to connect that directly to the pfSense WAN and deal with everything else from there.
You could use the 180 subnet directly on an internal pfSense interface if you need internal machines to have public IPs. Or you could add those IPs as VIPs and NAT them to specific internal machines using a private IP.

Steve

slkamath

@stephenw10
Thank you Stephen.

I think public ip's you are talking about 192.192 series. As per one of my friend's info I configured that. Few days back i came to know that it is wrong. So I will change it.

Initially ISP provided 2 Media Converters.

1 for ILL (Internet Lease Line)

2 for P2P (Point to Point connection)

1 year back they changed that media converter to 8 port L3 Dlink Switch.
Port 1 Connected as ILL (Internet Lease Line) and Port 2 Connected as P2P (Point to Point).

If I connect directly Ethernet cable to pfSense then it will not work. Through 1st Port of 8Port Dlink Switch if i connect to pfSense it will work (I checked it).

We dont need internal machines with 180 series IP's other than pfSense ( only for Internet purpose all these 180 IP's we are using).

Through pfSense how can i allow the below things???

Full Internet for 5 People
Proxy Internet for 30 People (If dont put proxy Internet should not work)
Nearly 80 People (including Internet users) are using mails with SSL/TLS Port 995 & 993

Please guide me.

Thanks in advance.

Lokesh Kamath

stephenw10

OK. I would expect tp be able to connect pfSense to the P2P connection directly but without knowing how that's configured it will be impossible.
So I would connect the pfSense WAN interface to the L3 switch. Use 203.x.x.154 as the WAN IP and 203.x.x.153 as the WAN gateway. You haven't specified the subnet there but it is probably something very small like /30.

Then connect the pfSense LAN port directly to the private subnet for the clients via one L2 switch. Use pfSense as DHCP and DNS as it is configured by default unless you have a good reason not to.

You are using 192.192.x.x as the subnet there but that is invalid, it's not a private subnet. You must use 192.168.x.x if you're using a 192 IP there so probably 192.168.0.1/24 as the pfSense LAN IP.

It looks like the ISP is just routing that 180 subnet to you so you can use that or not use it however you please.

Assign the 5 users who need unfiltered access static DHCP mappings so they always get the same IP. Add those IPs to an alias.
Put in a firewall rule on LAN to pass traffic from that alias to anywhere.
Put in other firewall rules on LAN below that to block all traffic from the LAN subnet with destination ports 80 or 443. That will prevent anyone accessing the web directly and force them to use the proxy.

Steve

slkamath

@stephenw10
Thanks Stephen.

You want me to provide ip then i can provide if you want.

The subnet you mentioned is 100% correct.

203 series /30 subnet
180 series /29 subnet
and Local Lan I chnage from 192.192 to 192.168 /24

Lokesh Kamath

stephenw10

Ok, then I would arrange it as I outlined above.

I imagine you're paying for that 180 /29 subnet and I can't see where you're using it at all. You could probably cancel it and save money but I'd make sure the new setup works as expected before you do that in case you find you need more public IPs.

Steve

slkamath

@stephenw10
Thank you Stephen.

We are not paying anything for that Public IP's it is bundled in the Fiber Connection (8 Public IP's free).

I will eliminate 180 series and I configure and will let you know the result by 2 days.

Once again Thanks for your time and very much appreciated for all your suggestion.

Lokesh Kamath

JKnott

@slkamath said in How to Configure 3 IP's & Internet Restriction????:

(8 Public IP's free)

6 usable. With IPv4, you lose one to the network address and one for the broadcast address.

slkamath

@jknott
Thanks for your info.

I think only 5 usable 1 is for Gateway.

Lokesh Kamath

slkamath

@stephenw10

Stephen Thank you very much.

It is working very well.

I was very much confused initially but you cleared my confusion and solved my issue. Big Thank you.

WAN- 203 Series
LAN - 192 Series (192.192. series will change in few days to 192.168.) Currently Windows DC is running in that 192.192 series. So will change in few days.

Please find the below picture and let me know any changes required.

Firewall Rules
0_1536128136230_Firewall Rules.png

7th Rule - AllowIP is set of IP's who have Full Internet Access.

Thank you very much once again. No words to express my gratitude Stephen.

Lokesh Kamath

stephenw10

No problem.

Since you have those additional IPs anyway you can use them however you wish. Use the whole subnet on an internal interface. Add the individual IPs as VIPs on the WAN and NAT to/from them. Or just don't use them.

Steve

slkamath

@stephenw10
Thank you Stephen.

Ok, Sure.

Lokesh Kamath.