Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "IP Stealing"

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 757 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xkaas
      last edited by

      Hi!

      Firstly, I ran some small hosting thing for friends and family, so not in a pro way anyhow.

      However, I am wanting to do some locking down of my IP addresses.

      What I did was wanting to use PFSense with 1:1 natting (I am talking about exnternal IP addreses here).

      However, when installing many of the features my users need, it will bind to their local IP and not the exnternal, as funnily enough, the external is no where to be found on the interface.

      My question is, is there anyway i can do this with PFsense? So pretty much just pass a IP somewhere to a server with not a 1:1 nat. Or should I just go back to my old setup?

      I found a thread like it, where they suggest to do MAC binding with a layer 3 switch:

      http://www.webhostingtalk.com/showthread.php?t=1380328

      Thanks!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Well if their boxes are on rfc1918 then yeah services run on that box would bind to the machines IP… Not sure what that has to do with a 1:1 Nat..

        If you have a routed netblock, then you could put this behind pfsense and just firewall the ports you don't want open to the IPs behind.

        So for example you could allow 80/443 to public IP behind pfsense with simple firewall rule.

        How many public IPs do you have, and can this netblock you have be routed to you?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • X
          xkaas
          last edited by

          Hi.

          I have 32 IPs

          What I am needing to do is to somehow route a public IP directly to a server internally (Via a 1:1 nat, it doesnt quite work, as many services wont bind to the external IP as its not found on the interface)

          I hope it makes sense

          Thanks for answering!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Your confused t sounds like to me..

            I have a box on 192.168.1.100, its running a web server that listens on 80 on 192.168.1.100

            You have a public IP of 1.2.3.4, you create a 1:1 nat of 1.2.3.4 to 192.168.1.100

            You allow 80 to pass, 80 hits 1.2.3.4, it gets forwarded to 192.168.1.100..

            So these 32 IPs you have is a /27 I would assume - is this /27 routed to you.  If so put the /27 behind pfsense - now there is no natting, not port forwarding, no 1:1.. Your PC can run on 1.2.3.4 directly..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • X
              xkaas
              last edited by

              Hi again!

              Thanks for your answer.

              Thats what I am talking about - Passing it through without a 1:1 nat. Sorry for sounding confusing.

              For this, I dont want to forward all of the 32 IP's.

              Is there anyhow I can for instance only do that with 10 ips?  So PC can run on 1.2.3.4  directly without having the whole subnet routed.

              Thanks

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Is the current subnet routed? If so then just subnet it.

                Break it into 2 /28 you can use 1 as vips on wan for 1:1 and use the other /28 for behind.  Or /28 and 2 /29's… How ever you want to break it up... But your /27 actually needs to be routed to you.. Not just you attached to it.

                So you have another transit network and this /27 is routed down that transit.  If so then yeah this is easy peasy lemon squeezy..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.