"IP Stealing"

xkaas

Hi!

Firstly, I ran some small hosting thing for friends and family, so not in a pro way anyhow.

However, I am wanting to do some locking down of my IP addresses.

What I did was wanting to use PFSense with 1:1 natting (I am talking about exnternal IP addreses here).

However, when installing many of the features my users need, it will bind to their local IP and not the exnternal, as funnily enough, the external is no where to be found on the interface.

My question is, is there anyway i can do this with PFsense? So pretty much just pass a IP somewhere to a server with not a 1:1 nat. Or should I just go back to my old setup?

I found a thread like it, where they suggest to do MAC binding with a layer 3 switch:

http://www.webhostingtalk.com/showthread.php?t=1380328

Thanks!

johnpoz

Well if their boxes are on rfc1918 then yeah services run on that box would bind to the machines IP… Not sure what that has to do with a 1:1 Nat..

If you have a routed netblock, then you could put this behind pfsense and just firewall the ports you don't want open to the IPs behind.

So for example you could allow 80/443 to public IP behind pfsense with simple firewall rule.

How many public IPs do you have, and can this netblock you have be routed to you?

xkaas

Hi.

I have 32 IPs

What I am needing to do is to somehow route a public IP directly to a server internally (Via a 1:1 nat, it doesnt quite work, as many services wont bind to the external IP as its not found on the interface)

I hope it makes sense

Thanks for answering!

johnpoz

Your confused t sounds like to me..

I have a box on 192.168.1.100, its running a web server that listens on 80 on 192.168.1.100

You have a public IP of 1.2.3.4, you create a 1:1 nat of 1.2.3.4 to 192.168.1.100

You allow 80 to pass, 80 hits 1.2.3.4, it gets forwarded to 192.168.1.100..

So these 32 IPs you have is a /27 I would assume - is this /27 routed to you.  If so put the /27 behind pfsense - now there is no natting, not port forwarding, no 1:1.. Your PC can run on 1.2.3.4 directly..

xkaas

Hi again!

Thanks for your answer.

Thats what I am talking about - Passing it through without a 1:1 nat. Sorry for sounding confusing.

For this, I dont want to forward all of the 32 IP's.

Is there anyhow I can for instance only do that with 10 ips?  So PC can run on 1.2.3.4  directly without having the whole subnet routed.

Thanks

johnpoz

Is the current subnet routed? If so then just subnet it.

Break it into 2 /28 you can use 1 as vips on wan for 1:1 and use the other /28 for behind.  Or /28 and 2 /29's… How ever you want to break it up... But your /27 actually needs to be routed to you.. Not just you attached to it.

So you have another transit network and this /27 is routed down that transit.  If so then yeah this is easy peasy lemon squeezy..