DHCP 5 Fixed IP
-
I just got a new Internet connection, with 5 fixed IP addresses.
Problem is I have never seen a setup like what the provider is suggesting.
They issue IP by DHCP. Using your MAC address to ensure you get the same fixed IP every time.
Sounds, OK... but how do you do that with PFSense being connected to their appliance?
The provide a single RJ45 connection, which I plug into PFSense WAN port.
They have provided a single IP address, because I present a single MAC address.
What they suggested was to plug their RJ45 cable into a switch and then have 5 devices plugged into a switch. That sounds stupid to me.
Is there some way I can appear to have 5 devices (virtual interface or something?) so the firewall can get five IP addresses?
-
Did they say you had to use all 5 for some reason? I think they supply 5 for those that don't have a router but do have multiple devices. Personally I'd just use one for a period of time then spoof a mac address in pfsense which should cause the next of the 5 to be used, and continue that 3 more times until all 5 were used. Which would, to some extent, increase your security by changing your external WAN IP, thus causing any hacker to have to work a little bit harder.
It would seem the days of a truly dynamic WAN IP are going by the wayside. Bummer!
Good Luck!
-
RCN offers this, and my friend has it. What you need is an inexpensive dirty side switch between your pfSense box and the cable modem. You may plug additional devices into the switch and they will each get a routable public IP address. An unmanaged 8 port gigabit switch will do the trick, or even a 10/100 switch if the available bandwidth is below 100Mbps.
For example, you could keep a commodity Wifi router hooked up and still have net access when you bring down your primary firewall. You could keep a VOIP device connected and retain telephone service while your pfSense box reboots. Right now my friend has a high end Cisco device connected that is part of a lab he and his co-workers are setting up at disparate locations, including a CoLo in another state. Having spare public IPs is an excellent feature.
-
@geyser said in DHCP 5 Fixed IP:
What they suggested was to plug their RJ45 cable into a switch and then have 5 devices plugged into a switch. That sounds stupid to me.
It's not stupid if you have additional devices that need direct internet access. Then it's great. If you don't have that need presently, I see no reason to use more than one address.
I managed to nag enough to get 4 IPs and I'm super happy for them when being able to preconfigure VPN-nodes locally before on-site deployment, when testing equipment and for a primitive firewall redundancy (unfortunately automatic failover isn't supported for DHCP WAN, even when they as here are semi-static).
-
Looks like my best option is to set a PFSense box with multiple ports, plugged into a dirty switch like @bfeitell mentions.
We need multiple incoming IP addresses for email, different IP addresses are used for different incoming email servers.
So either a PFSense box with multiple ports, or use multiple PFSense boxes for each public IP address.
Certainly different than anything I have setup before.
-
You can also set up multiple WAN interfaces on a single pfSense box, but things get a little weird where all the WAN IPs share a common gateway upstream. My friend uses a secondary WAN for web traffic that is port forwarded to a web server on a restricted vlan inside.
-
Urgh, yeah that's ugly.
They have to be DHCP? No way to get static IPs?
I have seen similar setups where we used CARP VIPs to get additional MAC addresses but you can't set them to DHCP and the upstream device may reject CARP MACs anyway.
Steve
-
@geyser said in DHCP 5 Fixed IP:
with 5 fixed IP addresses.
Are they all in the same L3 network? Or do you get them from all over the place? What is the mask on the IP you get?
If they are creating reservations for your Macs for the IPs - once they have been given you can just setup these other IPs as vips on your 1 interface. Pfsense is not going to let you setup another interface getting an IP in the same network as 1st interface. Atleast not static - might let you if dhcp? Anything other than VIP would require a switch..
-
You could bridge the WAN to an internal interface and have clients there pull IPs directly from your ISP.
You can still filter the traffic across the bridge.Steve