Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help with putting PfSense in frount of 8 static IP (public)

    Scheduled Pinned Locked Moved General pfSense Questions
    22 Posts 6 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      detox
      last edited by

      hello,
      This probably is covered somewhere, but I am at a loss on how to search google for the answer.

      I use PfSense at home for my two local networks (internet is cable modem w/ dhcp connection) and really appreciate to power of it's protection.

      I want to expand its use.  I am getting a block of 8 (eight) static IP's for work. ( I am at a non-profit agency)  from my internet provider and am clueless on how to put pfsense between these and the cable modem.

      As an example, the 8 static ip's will be 1-8 and will be serving various functions (again this is example)
      IP 1 = webserver
      IP 2 = webserver
      IP 3 = FreeNas server
      IP 4 = router servicing multiple local users
      IP 5 = router servicing multiple local users

      etc.

      So can someone tell me how to do this?

      I could build 8 PfSense boxes ( 1 for each public IP) connecting all PfSense boxes to unmanaged switch then to cable modem but thought that would be silly

      Would I connect:  all static IP's (if multiple appliances using unmanaged switch)
                                  to a  layer 3 switch using one port for each IP and activating dhcp
                                  then the layer 3 switch to PfSense and out to the cable modem?

      Thanks for any help

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You can do that if they ROUTE that /29 to you. You would have 5 addresses available for server interfaces in that case. (8 minus network, broadcast, and pfsense interface)

        If those addresses are on the WAN interface itself (which I suspect will be the case), the single best solution is to use 1:1 NAT between them and the servers. The servers will be on the inside on private addresses.

        There might be other possibilities, all progressively uglier, but what is available depends on what the ISP is actually provisioning for you.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • C
          conor
          last edited by

          Derelict is absolutely correct never put public IPs directly on a server always put them on a firewall and nat through what you need and outbound nat only what you need/want.

          200+ pfSense installs - best firewall ever.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            That is not at all what I said.

            I said it depends on how it is actually provisioned. Trying to shoehorn an unrouted address on WAN to a server behind the router is simply a matter of compromise since you cannot do it "correctly." Some of the compromises are fairly nasty.

            There is NOTHING wrong with putting a routable address directly on a server. In fact that should be the norm, not the exception, but we have depletion, scarcity, idiotic ISPs, and NAT instead.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              detox
              last edited by

              Thanks so much for the info.  I will call Suddenlink and find out exactly what type of address they will issue.  Once I get the info I'll post it here

              1 Reply Last reply Reply Quote 0
              • C
                conor
                last edited by

                Apologies to Derelict for mis-representing his reply.

                However i disagree on putting a routable IP on a server. You should only NAT through the traffic you need otherwise if you have say a web server and a developer that accidentally introduces a vulnerability that allows a web form to run a command, if you have a firewall natting through connections and only permitting out replies to that connection then that vulnerable script can't be used to launch say a SSH brute force attack against a third party server off site. while a developer shouldn't create a vulnerability they happen and when they do they shouldn't be allowed to be used to attack third party sites.

                Also from scalability having them behind NAT permits you to in future deploy load balancing or have a dual server setup for upgrades etc rather than talking it offline.

                200+ pfSense installs - best firewall ever.

                1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  @let_me_help_you_break_that:

                  Apologies to Derelict for mis-representing his reply.

                  However i disagree on putting a routable IP on a server. You should only NAT through the traffic you need otherwise if you have say a web server and a developer that accidentally introduces a vulnerability that allows a web form to run a command, if you have a firewall natting through connections and only permitting out replies to that connection then that vulnerable script can't be used to launch say a SSH brute force attack against a third party server off site. while a developer shouldn't create a vulnerability they happen and when they do they shouldn't be allowed to be used to attack third party sites.

                  Also from scalability having them behind NAT permits you to in future deploy load balancing or have a dual server setup for upgrades etc rather than talking it offline.

                  Absolute rubbish. It makes zero difference if the server has a public routable IP address or an RFC1918 NAT'ed address. The access control you have on the firewall can allow or deny traffic just the same regardless of the type of addresses used. If your server gets infected by a malware etc. it can still launch the attacks to the outside world, NAT doesn't doesn't offer any more help there and the firewall is in the same position to allow or deny the attacks, public or RFC1918 addresses.

                  In a professional environment NAT is an unnecessary extra complication that should be avoided, configuration of the firewall is much simpler when you don't have take the NAT into account in firewall rules.

                  1 Reply Last reply Reply Quote 0
                  • JKnottJ
                    JKnott
                    last edited by

                    You should only NAT through the traffic

                    NAT is a hack to get around the IPv4 address shortage.  As for security, it does nothing that a properly configured firewall can't do.  With a firewall, you normally start with everything blocked and then open only what you need.  How is that any different than setting up port forwarding through NAT?  There are also problems with NAT, in that it breaks some protocols.

                    With the move to IPv6, there is no need for NAT, as there are plenty of addresses to go around.  This means you just configure the firewall as appropriate and not worry about port forwarding etc..

                    BTW, on IPv6, the smallest prefix an ISP supposed to provide, /64, contains 18.4 billion, billion addresses!  No need for NAT.

                    PfSense running on Qotom mini PC
                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                    UniFi AC-Lite access point

                    I haven't lost my mind. It's around here...somewhere...

                    1 Reply Last reply Reply Quote 0
                    • M
                      mlsbraves
                      last edited by

                      @detox:

                      I am getting a block of 8 (eight) static IP's for work. ( I am at a non-profit agency)  from my internet provider and am clueless on how to put pfsense between these and the cable modem.

                      When you request static IPs from your ISP they will ask how many you need and assign you the correct block that you need. You can't get 8 usable IPs but you can get 13. Typically, small businesses get a /30 (1 usable), /29 (5 usable), or /28 (13 usable). You can use an online subnet calculator that will help you better understand this and give you all the CIDR and subnet info you need. Check out http://www.subnet-calculator.com/

                      @detox:

                      As an example, the 8 static ip's will be 1-8 and will be serving various functions (again this is example)
                      IP 1 = webserver
                      IP 2 = webserver
                      IP 3 = FreeNas server
                      IP 4 = router servicing multiple local users
                      IP 5 = router servicing multiple local users

                      etc.

                      So can someone tell me how to do this?

                      I could build 8 PfSense boxes ( 1 for each public IP) connecting all PfSense boxes to unmanaged switch then to cable modem but thought that would be silly

                      No need to have multiple boxes. You can use all those IPs through a single box any way you need. Here's an example from the information provided above:

                      Internet Connection with 5 static IPs
                      ISP Gateway: 10.0.0.1
                      ISP Usable: 10.0.0.2 - 10.0.0.6

                      Configure the WAN with 10.0.0.2 /29

                      Now you also want to use all the other IPs so I would create a VIP for each of those IPs.

                      Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet. You can use a different IP for each webserver and you can point your domain to the respective IP.

                      Example
                      10.0.0.2 = pfSense WAN IP (You can still use this IP for other services as well)
                      10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
                      10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)
                      10.0.0.5 = FreeNas server (Up to you if you want to open this up but I would look into VPN)
                      10.0.0.6 = router servicing multiple local users (Not sure what you mean by this)

                      You can use the same IP with different ports for other services so you may not need to even use 5.

                      @detox:

                      Would I connect:  all static IP's (if multiple appliances using unmanaged switch)
                                                  to a  layer 3 switch using one port for each IP and activating dhcp
                                                  then the layer 3 switch to PfSense and out to the cable modem?

                      In the example above you only need to plug your cable modem directly into the WAN port of pfSense to use all your IPs. It will be up to you if you only need one LAN on the inside or would like to use multiple internal networks. If you using unmanaged switches than you will need a switch and a port on pfsense for each LAN. If you get a layer 2 switch than you only need one switch and one LAN port. I generally always put a webserver on a different network but it depends on your setup. Don't make you network topology more complex than it needs to.

                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott
                        last edited by

                        10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
                        10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

                        Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • M
                          mlsbraves
                          last edited by

                          @JKnott:

                          10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
                          10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

                          Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

                          Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet.

                          To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.

                          1 Reply Last reply Reply Quote 0
                          • K
                            kpa
                            last edited by

                            @JKnott:

                            10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
                            10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

                            Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

                            We don't know that yet because the OP hasn't provided any more details of the actual setup. The simplest case would be that the block of IP addresses is routed to his pfSense (the most sensible  option) but if it just happens that his ISP is not providing a proper business level service he might get the block terminated at the cable modem.

                            1 Reply Last reply Reply Quote 0
                            • K
                              kpa
                              last edited by

                              @mlsbraves:

                              To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.

                              Excuse me but you're out of your depth here. Port forwarding doesn't imply that you give up the access control provided by the packet filtering on your hardware firewall. If you have a pfSense sitting between the server and the internet you can do both port forwarding and packet filtering at the same to a very great precision.

                              1 Reply Last reply Reply Quote 0
                              • JKnottJ
                                JKnott
                                last edited by

                                Excuse me but you're out of your depth here.

                                No, I'm not out of my depth.  Why use NAT when you don't have to?  What does it bring, other than added complexity?  NAT was created to get around an IPv4 address shortage.  However, it's become so ingrained that a lot of people seem to think it brings some benefit beyond that.

                                The "firewall" function of NAT is due to it's stateful (necessary to keep track of the connections) nature, just like a regular stateful firewall.

                                PfSense running on Qotom mini PC
                                i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                UniFi AC-Lite access point

                                I haven't lost my mind. It's around here...somewhere...

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kpa
                                  last edited by

                                  I wasn't replying to you Jknott.

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mlsbraves
                                    last edited by

                                    Port forwarding doesn't imply that you give up the access control provided by the packet filtering on your hardware firewall.

                                    Maybe I'm misreading something here. Where did I imply that Port Forwarding gave up the control to packet filter?

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      @mlsbraves:

                                      @JKnott:

                                      10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
                                      10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

                                      Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

                                      Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet.

                                      To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.

                                      Again, to quote from above, absolute rubbish.

                                      Just because an inside host has a public, routable IP address does not mean the firewall has to pass any any any to that host.

                                      You make a firewall rule on WAN that passes 80/443 to that host. Everything else will be blocked.

                                      This is NO DIFFERENT that what is done when using NAT, except without the abomination that is NAT. (Yes, NAT has its valid uses but they are almost always to overcome some deficiency in network design and it is hopefully just a temporary patch).

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        detox
                                        last edited by

                                        mlsbraves -

                                        Thanks for the example!  I have a few questions based on this.
                                        My questions will start with " -> "

                                        Internet Connection with 5 static IPs
                                        ISP Gateway: 10.0.0.1
                                        ISP Usable: 10.0.0.2 - 10.0.0.6

                                        Configure the WAN with 10.0.0.2 /29

                                        ->  This would have a netmask of 255.255.255.248 and 6 hosts
                                            Why this and not a /24?  Does this create better security?

                                        Now you also want to use all the other IPs so I would create a VIP for each of those IPs.

                                        ->  VIP =  Virtual IP?  Created in Pfsense correct?

                                        Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet. You can use a different IP for each webserver and you can point your domain to the respective IP.

                                        Example
                                        10.0.0.2 = pfSense WAN IP (You can still use this IP for other services as well)

                                        ->  Glad to know I do not lose this, that it can be used as well

                                        10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
                                        -> single server with specific ports open

                                        10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)
                                        -> single server with specific ports open

                                        10.0.0.5 = FreeNas server (Up to you if you want to open this up but I would look into VPN)
                                        -> I need to learn more about VPN before I do this.  Yes I agree would be better

                                        10.0.0.6 = router servicing multiple local users (Not sure what you mean by this)
                                        ->  This public IP will have a router connected for all staff in building (approx 8 and up to 20 on some days)

                                        You can use the same IP with different ports for other services so you may not need to even use 5.

                                        ->  I plan on using equipment in this order:

                                        Web - cable modem

                                        cable modem - PfSense box (Netgate SG-4860)

                                        PfSense - 24 port Ubiquiti Edgeswitch Lite

                                        Edgeswitch - direct connect to servers
                                                          - attach at least 1 router (IP 10.0.0.6) for staff in building

                                        Thanks again for your help!

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          You are keying on the statements of the poster who doesn't seem to have a complete grasp of the problem at-hand.

                                          Is your public subnet routed or is it simply a network on the WAN interface itself?

                                          It matters.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            detox
                                            last edited by

                                            Derelict …..

                                            According to Suddenlink, all the static IP's I will be issued are class C  /24

                                            Thanks

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.