Passing block of public IP's to internal host on ESXi Appliance



  • Hey guys,
    I've done some extensive research and am unable to find the solution to an issue I am having.

    I recently obtained a /29 block of IP's from my ISP. They deliver them virtually to me through my existing connection.

    I'm going to use example IP's to explain my situation

    My primary IP on my WAN interface is 75.82.108.26
    My gateway is 75.82.108.25
    My netmask is /30

    My ISP has given me a block: 75.82.108.40/29

    I have an ESXi Server in my office. It has two NIC's on it. The first NIC is used for all my internal resources. As of right now, the second NIC is unused.

    I would like to pass as many usable IP's as possible from my ISP, through PFsense, and assign those public IP's to a cPanel/WHM (CentOS) server in my ESXi server. If I have to use the secondary free NIC to do this, I can.

    Everything I am finding online requires that I keep a LAN IP on my box, and then 1:1 the public IP's to it. I really need these IP's assigned natively to the server itself.

    I think I need to assign 75.82.108.40 to PFSense, and then assign the usable 75.82.108.41-45 to my CentOS box using 75.82.108.41 as the gateway for each IP.

    Any guidance here would be awesome.



  • pfSense can assume other IP addresses via Virtual IPs.

    Your existing network config will have some bearing on what you want to do.  What is currently acting as a router/firewall for your link?  Does it matter if your CentOS box is on a different network than your real LAN?

    Assuming pfSense will be your real firewall/router to your ISP, it's fairly simple to create a second vSwitch (assign your spare NIC to it and then plug your real network switch into the ESXi NIC port) for your ESXi box and then add that as a LAN interface for pfSense and hang your CentOS box off of that LAN.  Add a few Virtual IPs to handle your ISP allotment.  Add whatever required NATs you want, forwarded to your VIPs and you're done.



  • Got it,
    So this will allow me to directly assign some or all of those IPs assigned to my by my ISP through my PFSense box?

    Thank you for the reply!



  • So this will allow me to directly assign some or all of those IPs assigned to my by my ISP through my PFSense box?

    Yes.  I do the exact same thing with a /28.  IP aliases for all of them.



  • Ok, so in your scenario am I going through my existing network? Or am I going from a additional NIC in my PFsense Box directly into the secondary NIC with the vSwitch for ESXi/CENTOS?

    Right now the CENTOS Box has an internal IP on my network of 10.20.21.35



  • Before I can answer, you have to realize that for this to work then pfSense will have to become your primary firewall/router.  You didn't answer my previous questions so I don't really know what's going on with your network.  If you have another firewall/router between your cablemodem and pfSense then you have a double NAT config that won't work as you expect.

    The usual configuration would be to use your ESXi box's NICs as the pfSense WAN and LAN.  Plug the WAN NIC into your cablemodem.  Plug the LAN NIC into your physical switch and connect your desktops to that switch.  Create equivalent vSwitches for WAN and LAN and map your pfSense WAN and LAN interfaces to it.  Create a vSwitch called DMZ or whatever, connect it to no NIC, add it as a DMZ interface in pfSense and move the CentOS box to that network so you can segment it away from your LAN.  Then you can create your VIPs and NATs, and map the NATs to the VIPs you want.



  • @KOM:

    Before I can answer, you have to realize that for this to work then pfSense will have to become your primary firewall/router.  You didn't answer my previous questions so I don't really know what's going on with your network.  If you have another firewall/router between your cablemodem and pfSense then you have a double NAT config that won't work as you expect.

    The usual configuration would be to use your ESXi box's NICs as the pfSense WAN and LAN.  Plug the WAN NIC into your cablemodem.  Plug the LAN NIC into your physical switch and connect your desktops to that switch.  Create equivalent vSwitches for WAN and LAN and map your pfSense WAN and LAN interfaces to it.  Create a vSwitch called DMZ or whatever, connect it to no NIC, add it as a DMZ interface in pfSense and move the CentOS box to that network so you can segment it away from your LAN.  Then you can create your VIPs and NATs, and map the NATs to the VIPs you want.

    Sorry, I did neglect to answer that. I am using PFsense as my primary.

    I have fiber, it hands off into a Juniper Switch. From there it connects to PFsense. PFsense is handling DHCP, Firewall, NAT, etc. It is the edge device for my network, and the only routing device.

    Would you mind showing me a few screenshots of your config?



  • Here is a screen from my host that handles pfSense.  pfSense's WAN is connected to Internet (vSwitch3), and LAN connect to LAN (vSwitch1).




  • @KOM:

    Here is a screen from my host that handles pfSense.  pfSense's WAN is connected to Internet (vSwitch3), and LAN connect to LAN (vSwitch1).

    Ok, the only difference that I have is PFSense is a hardware appliance. I do not have it virtualized.

    WAN –> PFSENSE --> LAN
                                --> OPT1 (That I intend on passing those virtual IP's through to CentOS)



  • I find pfSense so much better to manage virtually than physically.



  • Once these IP's are assigned under virtual IPs, would my NAT Mappings be 1:1? What will the gateway and netmask be on each IP once they're assigned in my CentOS box?

    Thanks



  • would my NAT Mappings be 1:1?

    Could be, but if you just want to open a port or two then a more specific port forward will do.

    What will the gateway and netmask be on each IP once they're assigned in my CentOS box?

    Gateway would be the IP address of the pfSense interface it's connected to, netmask is usually /24 (255.255.255.0) on a small LAN.



  • Ok,
    So my PFsense installation is not virtual. It is a physical deployment.

    I have three NIC's. 1 is the WAN to the Fiber Carrier, the other is the LAN for my office network, and the last is unused right now.

    I need to pass as many usable IP's from a statically routed /29 range to the NIC on my WebServer which is CENTos virtualized on ESXi

    Thanks



  • This was your original requirement, correct?  So what have you done and what result did you get?  I believe I've already told you everything you need to know to get this working.  Create your Virtual IPs and then either create a port-forward or 1:1 NAT to your CentOS box.  Boom, done.



  • @KOM:

    This was your original requirement, correct?  So what have you done and what result did you get?  I believe I've already told you everything you need to know to get this working.  Create your Virtual IPs and then either create a port-forward or 1:1 NAT to your CentOS box.  Boom, done.

    Yes, here is a screenshot of the configuration of the Virtual IP Assignment.

    My confusion is at the 1:1 NAT. I do not want to assign a LAN IP to this. I simply want to pass the usable IP's that are statically routed to my through my ISP.

    Thanks

    ![Screen Shot 2017-02-22 at 3.57.43 PM.png](/public/imported_attachments/1/Screen Shot 2017-02-22 at 3.57.43 PM.png)
    ![Screen Shot 2017-02-22 at 3.57.43 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-02-22 at 3.57.43 PM.png_thumb)



  • A port-forward / 1:1 NAT must be mapped to something.  In your case you would map it to the local IP of the CentOS box.  That's how it works.  And as I mentioned earlier, if you're uncomfortable forwarding traffic to a host on your LAN, then create a DMZ via new interface or VLAN and move your CentOS box there.



  • @KOM:

    A port-forward / 1:1 NAT must be mapped to something.  In your case you would map it to the local IP of the CentOS box.  That's how it works.  And as I mentioned earlier, if you're uncomfortable forwarding traffic to a host on your LAN, then create a DMZ via new interface or VLAN and move your CentOS box there.

    Ok, so I will run a physical ethernet cable between my OPT1 interface and a physical interface on my ESXi Server. I'll assign that interface to CENTOS within the ESXI Controller.

    What will my configuration look like in PFsense?


Log in to reply