Mapping ISP provided Static IP to MAC addresses -behind Pfsense

JKnott

@stephenw10 said in Mapping ISP provided Static IP to MAC addresses -behind Pfsense:

Can they use the same MAC for both IPs?

If he used a static config, he could use aliases. However, I thought he had to provide the MAC to Telus, which means they'd be using a DHCP server with static mapping. Try assigning 2 IPs to a MAC in pfSense and see what happens. Hint - It's not allowed.

ros81

Thanks @stephenw10 and @JKnott

1. You are right... ISP does not allow to use the same MAC for both IPs. I'm trying to get this escalated in TELUS.

2. WAN router is bridged to PFSense box.

3. I was reading about creating virtual IPs in Pfsense for the non-DMZ server public IP and then create NAT 1:1... I'll be testing in a few hours. Hopefully, it works. Let me know any suggestions.

stephenw10

If you need two MACs you will have to bridge the WAN with another NIC so the server pulls the IP from Telus directly.
Is that an option for you? You have a NIC you can use to connect the server?

You can still filter traffic across the bridge.

There is also at least one truly horrendous hack you might deploy if all else fails.

Steve

ros81

Guess there are more people asking the same question, and they are on TELUS...
https://www.reddit.com/r/networking/comments/4u3sn3/isp_delivers_static_ips_via_dhcp_reservation/

ros81

@stephenw10 I want to keep the server behind the Pfsense. So I'm not sure how to achieve what you are suggesting.

WAN (Public IP1) --Bridged--> PFSense (with VLANs) -> switches and server(on vlan).
Public IP2 for the server.

How do I associate Public IP2 to the server, since the public IP2 requires DHCP reservation for the server.

JKnott

@ros81 said in Mapping ISP provided Static IP to MAC addresses -behind Pfsense:

I was reading about creating virtual IPs in Pfsense for the non-DMZ server public IP and then create NAT 1:1... I'll be testing in a few hours. Hopefully, it works. Let me know any suggestions.

Please forget NAT. It's a borked solution, as johnpos would say. Here's some info on setting up pfSense as a transparent firewall. This is the sort of solution you need, not NAT.

stephenw10

Do you have an additional interface on pfSense you can use for this?

Or is the server on a separate VLAN? Could it be?

The best solution for you here is to put the server in a a sort of DMZ bridged to the WAN. So:

WAN (Public IP1)--> PFSense (with VLANs) -> switches - LAN clients
                      |
                      |_ Voip server (Public IP2)

The VoIP server is set as DHCP and pulls it's IP from Telus directly.

Steve

ros81

@stephenw10 Thanks... The server is on a separate VLAN.
Are you suggesting to do this?

Or this diagram...

If diagram 2, can the ISP see the MAC address on the other NIC card in the PFsense box?

ros81

Either way, I don't feel comfortable to leave the Voice Server on DMZ. Thanks guys for your suggestions, but do you have any other suggestions?

JKnott

@ros81 said in Mapping ISP provided Static IP to MAC addresses -behind Pfsense:

Thanks guys for your suggestions, but do you have any other suggestions?

Only the correct one, that is a transparent firewall, as I suggested. I provided a link to that pfSense article for doing that. With it, Telus will be able to assign IP addresses to the MAC addresses, as required.

stephenw10

It would be like the 2nd diagram. You would set the server VLAN interface as IPv4 type none then create a bridge with it and WAN in.

Now it's in the same layer 2 segment as the WAN so can pull an IP directly from Telus using it's own MAC.

I'm not sure why you would not want to do that. You can still filter all the incoming and outgoing traffic to it.

The other suggestions I have are last ditch style. Do you have a spare NIC you can use in that system?

Steve

ros81

@stephenw10 Thanks.. I like your idea about the diagram 2..(You said this can be achieved without an additional NIC card, but just with vlan.) Can you explain how to do it ?
I have another NIC too..

stephenw10

Yeah it's like I said you can bridge the VLAN the server is on to the WAN. So:

Edit the server VLAN interface and set it to v4 type none.

Create a new bridge in Intercaces > Assignments > Bridges and add the WAN and the server vlan interface to it.

Set the server to be a dhcp client.

Make sure you have firewall rules on the server VLAN interface to allow the dhcp client traffic. And any other traffic you may need. Be aware that rules use 'Server net' will no longer be valid since that interface no longer has an IP or subnet.

Add rules to WAN to allow whatever traffic you need to reach the VoIP server.

Steve