Help with putting PfSense in frount of 8 static IP (public)



  • hello,
    This probably is covered somewhere, but I am at a loss on how to search google for the answer.

    I use PfSense at home for my two local networks (internet is cable modem w/ dhcp connection) and really appreciate to power of it's protection.

    I want to expand its use.  I am getting a block of 8 (eight) static IP's for work. ( I am at a non-profit agency)  from my internet provider and am clueless on how to put pfsense between these and the cable modem.

    As an example, the 8 static ip's will be 1-8 and will be serving various functions (again this is example)
    IP 1 = webserver
    IP 2 = webserver
    IP 3 = FreeNas server
    IP 4 = router servicing multiple local users
    IP 5 = router servicing multiple local users

    etc.

    So can someone tell me how to do this?

    I could build 8 PfSense boxes ( 1 for each public IP) connecting all PfSense boxes to unmanaged switch then to cable modem but thought that would be silly

    Would I connect:  all static IP's (if multiple appliances using unmanaged switch)
                                to a  layer 3 switch using one port for each IP and activating dhcp
                                then the layer 3 switch to PfSense and out to the cable modem?

    Thanks for any help


  • Netgate

    You can do that if they ROUTE that /29 to you. You would have 5 addresses available for server interfaces in that case. (8 minus network, broadcast, and pfsense interface)

    If those addresses are on the WAN interface itself (which I suspect will be the case), the single best solution is to use 1:1 NAT between them and the servers. The servers will be on the inside on private addresses.

    There might be other possibilities, all progressively uglier, but what is available depends on what the ISP is actually provisioning for you.



  • Derelict is absolutely correct never put public IPs directly on a server always put them on a firewall and nat through what you need and outbound nat only what you need/want.


  • Netgate

    That is not at all what I said.

    I said it depends on how it is actually provisioned. Trying to shoehorn an unrouted address on WAN to a server behind the router is simply a matter of compromise since you cannot do it "correctly." Some of the compromises are fairly nasty.

    There is NOTHING wrong with putting a routable address directly on a server. In fact that should be the norm, not the exception, but we have depletion, scarcity, idiotic ISPs, and NAT instead.



  • Thanks so much for the info.  I will call Suddenlink and find out exactly what type of address they will issue.  Once I get the info I'll post it here



  • Apologies to Derelict for mis-representing his reply.

    However i disagree on putting a routable IP on a server. You should only NAT through the traffic you need otherwise if you have say a web server and a developer that accidentally introduces a vulnerability that allows a web form to run a command, if you have a firewall natting through connections and only permitting out replies to that connection then that vulnerable script can't be used to launch say a SSH brute force attack against a third party server off site. while a developer shouldn't create a vulnerability they happen and when they do they shouldn't be allowed to be used to attack third party sites.

    Also from scalability having them behind NAT permits you to in future deploy load balancing or have a dual server setup for upgrades etc rather than talking it offline.



  • @let_me_help_you_break_that:

    Apologies to Derelict for mis-representing his reply.

    However i disagree on putting a routable IP on a server. You should only NAT through the traffic you need otherwise if you have say a web server and a developer that accidentally introduces a vulnerability that allows a web form to run a command, if you have a firewall natting through connections and only permitting out replies to that connection then that vulnerable script can't be used to launch say a SSH brute force attack against a third party server off site. while a developer shouldn't create a vulnerability they happen and when they do they shouldn't be allowed to be used to attack third party sites.

    Also from scalability having them behind NAT permits you to in future deploy load balancing or have a dual server setup for upgrades etc rather than talking it offline.

    Absolute rubbish. It makes zero difference if the server has a public routable IP address or an RFC1918 NAT'ed address. The access control you have on the firewall can allow or deny traffic just the same regardless of the type of addresses used. If your server gets infected by a malware etc. it can still launch the attacks to the outside world, NAT doesn't doesn't offer any more help there and the firewall is in the same position to allow or deny the attacks, public or RFC1918 addresses.

    In a professional environment NAT is an unnecessary extra complication that should be avoided, configuration of the firewall is much simpler when you don't have take the NAT into account in firewall rules.



  • You should only NAT through the traffic

    NAT is a hack to get around the IPv4 address shortage.  As for security, it does nothing that a properly configured firewall can't do.  With a firewall, you normally start with everything blocked and then open only what you need.  How is that any different than setting up port forwarding through NAT?  There are also problems with NAT, in that it breaks some protocols.

    With the move to IPv6, there is no need for NAT, as there are plenty of addresses to go around.  This means you just configure the firewall as appropriate and not worry about port forwarding etc..

    BTW, on IPv6, the smallest prefix an ISP supposed to provide, /64, contains 18.4 billion, billion addresses!  No need for NAT.



  • @detox:

    I am getting a block of 8 (eight) static IP's for work. ( I am at a non-profit agency)  from my internet provider and am clueless on how to put pfsense between these and the cable modem.

    When you request static IPs from your ISP they will ask how many you need and assign you the correct block that you need. You can't get 8 usable IPs but you can get 13. Typically, small businesses get a /30 (1 usable), /29 (5 usable), or /28 (13 usable). You can use an online subnet calculator that will help you better understand this and give you all the CIDR and subnet info you need. Check out http://www.subnet-calculator.com/

    @detox:

    As an example, the 8 static ip's will be 1-8 and will be serving various functions (again this is example)
    IP 1 = webserver
    IP 2 = webserver
    IP 3 = FreeNas server
    IP 4 = router servicing multiple local users
    IP 5 = router servicing multiple local users

    etc.

    So can someone tell me how to do this?

    I could build 8 PfSense boxes ( 1 for each public IP) connecting all PfSense boxes to unmanaged switch then to cable modem but thought that would be silly

    No need to have multiple boxes. You can use all those IPs through a single box any way you need. Here's an example from the information provided above:

    Internet Connection with 5 static IPs
    ISP Gateway: 10.0.0.1
    ISP Usable: 10.0.0.2 - 10.0.0.6

    Configure the WAN with 10.0.0.2 /29

    Now you also want to use all the other IPs so I would create a VIP for each of those IPs.

    Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet. You can use a different IP for each webserver and you can point your domain to the respective IP.

    Example
    10.0.0.2 = pfSense WAN IP (You can still use this IP for other services as well)
    10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
    10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)
    10.0.0.5 = FreeNas server (Up to you if you want to open this up but I would look into VPN)
    10.0.0.6 = router servicing multiple local users (Not sure what you mean by this)

    You can use the same IP with different ports for other services so you may not need to even use 5.

    @detox:

    Would I connect:  all static IP's (if multiple appliances using unmanaged switch)
                                to a  layer 3 switch using one port for each IP and activating dhcp
                                then the layer 3 switch to PfSense and out to the cable modem?

    In the example above you only need to plug your cable modem directly into the WAN port of pfSense to use all your IPs. It will be up to you if you only need one LAN on the inside or would like to use multiple internal networks. If you using unmanaged switches than you will need a switch and a port on pfsense for each LAN. If you get a layer 2 switch than you only need one switch and one LAN port. I generally always put a webserver on a different network but it depends on your setup. Don't make you network topology more complex than it needs to.



  • 10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
    10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

    Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.



  • @JKnott:

    10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
    10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

    Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

    Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet.

    To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.



  • @JKnott:

    10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
    10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

    Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

    We don't know that yet because the OP hasn't provided any more details of the actual setup. The simplest case would be that the block of IP addresses is routed to his pfSense (the most sensible  option) but if it just happens that his ISP is not providing a proper business level service he might get the block terminated at the cable modem.



  • @mlsbraves:

    To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.

    Excuse me but you're out of your depth here. Port forwarding doesn't imply that you give up the access control provided by the packet filtering on your hardware firewall. If you have a pfSense sitting between the server and the internet you can do both port forwarding and packet filtering at the same to a very great precision.



  • Excuse me but you're out of your depth here.

    No, I'm not out of my depth.  Why use NAT when you don't have to?  What does it bring, other than added complexity?  NAT was created to get around an IPv4 address shortage.  However, it's become so ingrained that a lot of people seem to think it brings some benefit beyond that.

    The "firewall" function of NAT is due to it's stateful (necessary to keep track of the connections) nature, just like a regular stateful firewall.



  • I wasn't replying to you Jknott.



  • Port forwarding doesn't imply that you give up the access control provided by the packet filtering on your hardware firewall.

    Maybe I'm misreading something here. Where did I imply that Port Forwarding gave up the control to packet filter?


  • Netgate

    @mlsbraves:

    @JKnott:

    10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
    10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)

    Why port forwarding?  If he has public addresses for the servers, just pass them on.  No need for NAT & port forwarding.

    Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet.

    To each his own I guess. If 80/443 are the only ports needed why expose all ports to the server. I wouldn't want a Microsoft Server running IIS to be connected directly to the Internet and solely rely on software firewalls. Some software vendors run IIS for webservices but also have local services that need to be accessed locally. In the end each setup is different but this is a fairly typical.

    Again, to quote from above, absolute rubbish.

    Just because an inside host has a public, routable IP address does not mean the firewall has to pass any any any to that host.

    You make a firewall rule on WAN that passes 80/443 to that host. Everything else will be blocked.

    This is NO DIFFERENT that what is done when using NAT, except without the abomination that is NAT. (Yes, NAT has its valid uses but they are almost always to overcome some deficiency in network design and it is hopefully just a temporary patch).



  • mlsbraves -

    Thanks for the example!  I have a few questions based on this.
    My questions will start with " -> "

    Internet Connection with 5 static IPs
    ISP Gateway: 10.0.0.1
    ISP Usable: 10.0.0.2 - 10.0.0.6

    Configure the WAN with 10.0.0.2 /29

    ->  This would have a netmask of 255.255.255.248 and 6 hosts
        Why this and not a /24?  Does this create better security?

    Now you also want to use all the other IPs so I would create a VIP for each of those IPs.

    ->  VIP =  Virtual IP?  Created in Pfsense correct?

    Typically, you would just port forward 80/443 to your webservers, this way only those ports on the server are exposed to the Internet. You can use a different IP for each webserver and you can point your domain to the respective IP.

    Example
    10.0.0.2 = pfSense WAN IP (You can still use this IP for other services as well)

    ->  Glad to know I do not lose this, that it can be used as well

    10.0.03 = webserver 1 (Port Forward 80/443 to internal webserver 1 IP)
    -> single server with specific ports open

    10.0.04 = webserver 2 (Port Forward 80/443 to internal webserver 2 IP)
    -> single server with specific ports open

    10.0.0.5 = FreeNas server (Up to you if you want to open this up but I would look into VPN)
    -> I need to learn more about VPN before I do this.  Yes I agree would be better

    10.0.0.6 = router servicing multiple local users (Not sure what you mean by this)
    ->  This public IP will have a router connected for all staff in building (approx 8 and up to 20 on some days)

    You can use the same IP with different ports for other services so you may not need to even use 5.

    ->  I plan on using equipment in this order:

    Web - cable modem

    cable modem - PfSense box (Netgate SG-4860)

    PfSense - 24 port Ubiquiti Edgeswitch Lite

    Edgeswitch - direct connect to servers
                      - attach at least 1 router (IP 10.0.0.6) for staff in building

    Thanks again for your help!


  • Netgate

    You are keying on the statements of the poster who doesn't seem to have a complete grasp of the problem at-hand.

    Is your public subnet routed or is it simply a network on the WAN interface itself?

    It matters.



  • Derelict …..

    According to Suddenlink, all the static IP's I will be issued are class C  /24

    Thanks



  • ^^^^
    IP classes have been obsolete for many years.  You can have a /24 block anywhere in the address space.  With address classes, a class C network could only be found between 192.0.0.0 and 224.0.0.0.


  • Netgate

    @detox:

    Derelict …..

    According to Suddenlink, all the static IP's I will be issued are class C  /24

    Thanks

    So on the interface itself in a larger subnet than your allocation.

    There is no good way to put those addresses directly on servers.

    I would 1:1 NAT in that case.

    Or I would ask for a routed subnet to an address on that /24.