Noob Questions - How to handle multiple WAN IP addresses?



  • Hi there,  forgive me for my noob'ness when it comes to setting up firewalls for this, but I wanted to know if I can do what I need to do with pfSense, and if so what is the best way to do it.

    I have 5 servers that are colocated with a data center.  A couple are web servers running Apache, with virtual hosts.  Each server has its own IP address that the data center has provided, and in the case of the web servers, additional IP addresses have been allocated to support their abilities to serve through SSL.

    I am now trying to install one dedicated Firewall between the Internet and these servers.  I can move all of the servers onto their own subnet to allow for this, but I need the Firewall to be able to support all of the IP addresses that have been allocated to these boxes (WAN IP addresses) but have them all go through the one Firewall.  I tried to setup Smoothwall Express to do this, and then realized that it will only allow one IP address on the 'RED' interface, which is fine if this was for a home network with one external IP address, but in my case I need to secure a cluster of servers with their own IP addressing.

    So the question is:

    1.  Can pfSense handle this?  It looks like it can as I can see multiple Interfaces there (WAN, Opt1, Opt2, etc.).  If so, can I grow the number of interfaces (add an Opt3, Opt4, etc)?  I have eight (8) IP addresses I need to support.

    2.  Am I going about this correct by assuming each IP address is its own interface, but running on the same NIC?

    3.  Am I missing something in regards to routing or how this should be setup and making incorrect assumptions on what I have to do, and/or what the firewalls can handle?

    Thanks in advance for any advice and suggestions.

    V



  • 1: Yes pfSense can do this.

    2: Unless you're using VLAN's the multiple IP's are all on the same interface, but not separate "interfaces".
    These additional IP's are under "firewall"–>"Virtual IPs"

    3: Depending on what kind of additional IP's you have on the WAN you can use CARP or PARP type VIP's.
    http://forum.pfsense.org/index.php/topic,7001.0.html might help you.



  • @GruensFroeschli:

    1: Yes pfSense can do this.

    2: Unless you're using VLAN's the multiple IP's are all on the same interface, but not separate "interfaces".
    These additional IP's are under "firewall"–>"Virtual IPs"

    3: Depending on what kind of additional IP's you have on the WAN you can use CARP or PART type VIP's.
    http://forum.pfsense.org/index.php/topic,7001.0.html might help you.

    Thanks for the info.  Sounds like it will work.  I installed it on my server, but I have a 4 port PCI NIC in there (Zynix I think it is), and it doesn't look like pfSense is recognizing the NIC.  Its a 1U Rack box with only one PCI slot for an Ethernet NIC in it, and no onboard NIC.  So I have to use cards that have multiple RJ45 sockets on them.

    Are there any resources around that list hardware compatibility for NICs for pfSense?  Or anything I can do to try and get my card recognized?

    V



  • I would highly suggest using Intel Server NICs very fast and can come with 4 port interfaces, not cheap but they will work.

    http://www.newegg.com/Product/ProductList.aspx?Submit=ENE&N=2052810027 50001157 1128209698&name=4 x RJ45



  • @vladtheimpaled:

    Are there any resources around that list hardware compatibility …

    http://www.pfsense.org/index.php?option=com_content&task=category§ionid=9&id=28&Itemid=47


Log in to reply