How to Configure 3 IP's & Internet Restriction????



  • Hi All,

    Just wanted to know how to configure 3-IP Address (8 LAN Ports are available)??

    ISP WAN Port - 203.xxx.xxx.xxx
    ISP LAN Port - 180.xxx.xxx.xxx
    Local LAN Port - 192.168.10.1

    ISP has given gateway for WAN & LAN. Also given 6No's of IP Pool in LAN Port.

    How to Configure this and i want LOCAL LAN GATEWAY will be 192.168.10.1 (Internet has to pass through this gateway).

    I also installed squid. (Only 5 LOCAL LAN IP's can browse anything in Internet, rest all has to get through squid proxy if configured else no Internet)

    Please guide me to configure this.

    Thanks in advance.

    Lokesh Kamath


  • Netgate Administrator

    So you have an ISP supplied router in front of pfSense?

    It would be better to have pfSense connected directly, then you can use the 180 subnet however you wish.

    If you can't do that you can just add the additional IPs as IPAliases on WAN and then NAT to/from them to internal clients for example.

    Steve



  • @stephenw10

    Thanks for your reply.

    ISP not supplied router. given only L3 switch and in that they have configured 203 series gateway.

    How to connect pfsense directly ??

    How to give IPAliases & NAT?? (Sorry i dont know about this)

    Lokeh Kamath


  • Netgate Administrator

    The supplied L3 switch looks to be routing here if those are the subnets on it's upstream and downstream interfaces.

    Do they force you to use that switch? They manage it remotely? What is the hand-off connection coming into it?

    It would be better, more flexible, to replace that L3 switch entirely with pfSense but that may not be possible.

    To use those IP NAT'd see:
    https://www.netgate.com/docs/pfsense/book/nat/1-1-nat.html#configuring-1-1-nat

    Steve



  • @stephenw10
    Thanks Steve.

    They are not forced us to use. We requested so they given.

    They are not managing remotely. If link down & raise complaint then they solve the issue.

    3Mbps Connection.

    They configured port in that L3 switch (8 port, 1st port connected). If we give directly to any system, with any other port it will not work. Through the switch with 1st port port only it will work.

    Lokesh Kamath


  • Netgate Administrator

    Do you have access to the switch? Can you see how it's configured?

    Are they passing you a /29 subnet for 180.x.x.x?

    Steve



  • @stephenw10

    Thank you Stephen.

    I dont have access to Switch.

    As per my knowledge If i configure 180 series IP(Gateway 203 Series) connecting to the ISP WAN port Internet will not work.

    Current my configuration is

    Ubuntu Server
    1st LAN - 203.xxx.xxx.xxx
    2nd LAN - 180.xxx.xxx.xxx (IP & Subnet Configured, As this is ISP LAN Gateway)

    In this 2nd LAN connecting to Switch (8 Port) and from here I configured 2 More Server.

    1. Ubuntu Server (1st LAN - 180, 2nd LAN - 192)
    2. PFSENSE (1st LAN - 180, 2nd LAN - 192)

    Lokesh Kamath


  • Netgate Administrator

    A diagram here would be helpful. Showing the last octet values on the 180 subnet so we can see they are different IPs.

    So you have an Ubuntu server routing between those two subnets?

    Where does the ISP L3 switch fit into that? I assume that's not the 8 port switch...

    Steve



  • @stephenw10
    Thank you Stephen.

    Sorry for the blindly sent the info. Please find the below picture for your info. I am sorry for my poor network diagram.

    ISP L3 Switch connected to Incoming Fiber. It is Layer3 Dlink 8Port Switch. They configured VLAN & routing in that.

    Network look like
    0_1535995235549_NW Diagram.png

    Lokesh Kamath


  • Netgate Administrator

    Ok, what exactly is you goal here?

    What are those Ubuntu Servers doing?

    I think you can rationalise that significantly. I'm not sure why you would want the two devices in parallel like that.

    Steve



  • @stephenw10
    Thank you Stephen.

    My Goal is to remove Ubuntu Servers and keeping only pfSense Firewall.

    Only 5 Users should have full internet access.
    Remaining users should have proxy internet (without proxy internet should not work).

    So How to configure in pfSense??

    Initially Ubuntu server was only 1 server and in that we have configured SQUID and with that all the users getting internet.
    Few months back some issue happened while upgrading the ubuntu server. So we have installed pfSense and through pfSense configured SQUID and internet is working fine with all the users & gateway configured as Ubuntu Server. 5 users are connected to Ubuntu server because they dont want any site block.

    If I configure pfSense IP as gateway all the users are geting internet without proxy. So I am not getting how to configure it in pfSense.

    So please guide me.

    Thanks in advance.

    Lokesh Kamath


  • Netgate Administrator

    Ok, how are you using the public IPs in the 180 subnet? Do you have services running on those?

    I would put pfSense as close to the ISP connection as possible. It's not clear to me what the D-Link switch in the diagram is doing. I assume that's the ISP supplied L3 switch. It has one port in use for you to connect to, how is the incoming connection from the ISP connected?
    If that is just Ethernet I would want to connect that directly to the pfSense WAN and deal with everything else from there.
    You could use the 180 subnet directly on an internal pfSense interface if you need internal machines to have public IPs. Or you could add those IPs as VIPs and NAT them to specific internal machines using a private IP.

    Steve



  • @stephenw10
    Thank you Stephen.

    I think public ip's you are talking about 192.192 series. As per one of my friend's info I configured that. Few days back i came to know that it is wrong. So I will change it.

    Initially ISP provided 2 Media Converters.

    1 for ILL (Internet Lease Line)

    2 for P2P (Point to Point connection)

    1 year back they changed that media converter to 8 port L3 Dlink Switch.
    Port 1 Connected as ILL (Internet Lease Line) and Port 2 Connected as P2P (Point to Point).

    If I connect directly Ethernet cable to pfSense then it will not work. Through 1st Port of 8Port Dlink Switch if i connect to pfSense it will work (I checked it).

    We dont need internal machines with 180 series IP's other than pfSense ( only for Internet purpose all these 180 IP's we are using).

    Through pfSense how can i allow the below things???

    1. Full Internet for 5 People
    2. Proxy Internet for 30 People (If dont put proxy Internet should not work)
    3. Nearly 80 People (including Internet users) are using mails with SSL/TLS Port 995 & 993

    Please guide me.

    Thanks in advance.

    Lokesh Kamath


  • Netgate Administrator

    OK. I would expect tp be able to connect pfSense to the P2P connection directly but without knowing how that's configured it will be impossible.
    So I would connect the pfSense WAN interface to the L3 switch. Use 203.x.x.154 as the WAN IP and 203.x.x.153 as the WAN gateway. You haven't specified the subnet there but it is probably something very small like /30.

    Then connect the pfSense LAN port directly to the private subnet for the clients via one L2 switch. Use pfSense as DHCP and DNS as it is configured by default unless you have a good reason not to.

    You are using 192.192.x.x as the subnet there but that is invalid, it's not a private subnet. You must use 192.168.x.x if you're using a 192 IP there so probably 192.168.0.1/24 as the pfSense LAN IP.

    It looks like the ISP is just routing that 180 subnet to you so you can use that or not use it however you please.

    Assign the 5 users who need unfiltered access static DHCP mappings so they always get the same IP. Add those IPs to an alias.
    Put in a firewall rule on LAN to pass traffic from that alias to anywhere.
    Put in other firewall rules on LAN below that to block all traffic from the LAN subnet with destination ports 80 or 443. That will prevent anyone accessing the web directly and force them to use the proxy.

    Steve



  • @stephenw10
    Thanks Stephen.

    You want me to provide ip then i can provide if you want.

    The subnet you mentioned is 100% correct.

    203 series /30 subnet
    180 series /29 subnet
    and Local Lan I chnage from 192.192 to 192.168 /24

    Lokesh Kamath


  • Netgate Administrator

    Ok, then I would arrange it as I outlined above.

    I imagine you're paying for that 180 /29 subnet and I can't see where you're using it at all. You could probably cancel it and save money but I'd make sure the new setup works as expected before you do that in case you find you need more public IPs.

    Steve



  • @stephenw10
    Thank you Stephen.

    We are not paying anything for that Public IP's it is bundled in the Fiber Connection (8 Public IP's free).

    I will eliminate 180 series and I configure and will let you know the result by 2 days.

    Once again Thanks for your time and very much appreciated for all your suggestion.

    Lokesh Kamath



  • @slkamath said in How to Configure 3 IP's & Internet Restriction????:

    (8 Public IP's free)

    6 usable. With IPv4, you lose one to the network address and one for the broadcast address.



  • @jknott
    Thanks for your info.

    I think only 5 usable 1 is for Gateway.

    Lokesh Kamath



  • @stephenw10

    Stephen Thank you very much.

    It is working very well.

    I was very much confused initially but you cleared my confusion and solved my issue. Big Thank you.๐Ÿ‘ ๐Ÿ‘ ๐Ÿ‘ โ˜บ โ˜บ ๐Ÿ˜„ ๐Ÿ˜„

    WAN- 203 Series
    LAN - 192 Series (192.192. series will change in few days to 192.168.) Currently Windows DC is running in that 192.192 series. So will change in few days.

    Please find the below picture and let me know any changes required.

    Firewall Rules
    0_1536128136230_Firewall Rules.png

    7th Rule - AllowIP is set of IP's who have Full Internet Access.

    Thank you very much once again. No words to express my gratitude Stephen.

    Lokesh Kamath


  • Netgate Administrator

    No problem.

    Since you have those additional IPs anyway you can use them however you wish. Use the whole subnet on an internal interface. Add the individual IPs as VIPs on the WAN and NAT to/from them. Or just don't use them.

    Steve



  • @stephenw10
    Thank you Stephen.

    Ok, Sure.

    Lokesh Kamath.