Att business fiber public address routing.
-
Got it worked mostly worked out, only thing Is what is the best way to map my public address and or address's my lan Opt.
I know 1:1 can but what is the downsides? Will it break my site to site.
Can I just use nat rules if so..little help would be great.
-
IF you have more than 1 public IP ,NAT 1:1 is best. use 2nd IP for 1:1.
if you have only one public IP use port forwarding to forward specific ports to your LAN clients.
using 1:1 with 1 public IP will break your WAN connection because all the traffic will be forwarded to internal IP .
-
Not sure I understand, I have a block /29 and just what to give one to my wan traffic that address being I am using the /30 transport ip for the wan address to connect to att.
Nat 1:1 to the lan will break the lan from my understanding.
I know it should be possible but not sure why it will not work right, now I may just put a l3 between att and pfsense.
-
if you have block/29 , this means you have more that one public IP.
Assign them as VIP
https://docs.netgate.com/pfsense/en/latest/book/firewall/virtual-ip-addresses.html#ip-aliasthen setup 1:1 NAT , it will work smoothly.
-
@Zawi said in Att business fiber public address routing.:
using 1:1 with 1 public IP will break your WAN connection because all the traffic will be forwarded to internal IP .
I actually decided to test this before replying because while I believed this was not true I did not want to respond without trying it for myself.. Your statement is incorrect. Connections that are initiated from inside the network open the connection and will be replied to in kind.
-
@Zawi right I did try the vip and it still passes traffic as the cr address or most call it transport network which can get out fine.
-
@chpalmer let me see what I can do Monday,at this rate I will just use a l3 to route my transport.
I thought that did not sound right but I was mpt sure with pfsense.
-
This is from a few years ago.. Maybe some of the info is still relevant..
http://www.dslnuts.com/discussion/index.php/topic,6394.0.html
I assume you are trying to use pfsense behind the uverse router??
-
@chpalmer no, have a 3903x with fiber right to my pfsense they hand off with a serial link, or they call it that.
Have a /30 and /29, the /30 is really just for connecting to att from any device wan port and the publics have a static route that say any from the /29 send to the/30 in atts network.
-
/30 is outside the same subnet as the /29 ??
https://docs.netgate.com/pfsense/en/latest/nat/index.html
-
No.
-
I did get the 1:1 to work did not test it fully but was reading it will break the vpn connection.
So if i may the lan subnet with vlan to one of my public address it will work right.
-
Ah.. https://docs.netgate.com/pfsense/en/latest/nat/using-1-1-nat-on-a-wan-ip-address.html
"Yes, 1:1 NAT may be used from the WAN IP address to an internal IP address. But be aware that this maps every port and services on the firewall will no longer be reachable from the outside. To reach the firewall from the outside, port forward entries must be added to negate the 1:1 NAT for the specific ports on the firewall to be reached."
-
That is fine, that is easy enough to deal with. I guess I read that differently, thank you for the slap on my head.
I will test this out Monday.
-
Good luck!
-
yeah can not get nat 1:1 and ipsec with port forwards to work right.