Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Server with Public IP behind pfsense

    Scheduled Pinned Locked Moved Routing and Multi WAN
    8 Posts 2 Posters 989 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      blackbinary
      last edited by

      Hi Guys,
      i have a problem with a complected WAN setup.

      • I get a /27 Subnet from my data center ISP routed through a transit network. this is setup redundant (Active/passive with failover to the 2nd cable (if link down))
      • i use two L3-Switches and route both transit network in to a "WAN" VLAN on the Switch
        *within that WAN Network i have a Master and Slave pfsense with some CARP vIPs (WAN Interface)
      • i use Portforwarding in most case to deliver traffic to internal Server/Services these internal Servers have private Adresses eg. DMZ the Server 10.112.112.123 - no problem for Source-NAT (Portforwarding)

      BUT!! i have a special case where the Server needs a Public IP on his Interface (Application required, SIP Gateway ) i can't use Source-NAT/1:1 because the Interface IP of the Server is also transmitted within the Application-Layer.

      Is there a way to place that server behind the pfsense? i want to filter the Traffic.

      Thanks for the Help

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Take part of your /27 (Like a /29, /30, or /31 if the PBX can deal with it) and put it on an inside interface. Disable Outbound NAT for those source addresses. Pass the traffic you want into WAN.

        How easy or difficult this will be depends on what you have already done with the other /27 addresses.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          blackbinary
          last edited by

          @derelict said in Server with Public IP behind pfsense:

          Take part of your /27 (Like a /29, /30, or /31 if the PBX can deal with it) and put it on an inside interface.

          Thanks for the fast replay!
          but that way it will consume Public IPs like mad. i already need 3 IPs for Pfsense-master, Pfsense-slave and CARP-IP1 (+ 2 IPs with the vRRP setup (L3-Switches)) on the WAN side of the pfsense. Yes, i can shrink the Subnet on the WAN side and create a interface eg. "PubDMZ". But i have to use another 3 IP Adresses for the CARP Setup within that Network.

          --> Is it possible to be more economical with the addresses? afaik CARP needs atleast 3 IPs.

          thanks again

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Yes, that will consume at least a /29 for the inside interface which would leave 3 available host addresses. A /28 leaves 11 host addresses.

            If you want to play in this space you have to pay.

            That or 1:1 NAT.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              blackbinary
              last edited by

              @derelict said in Server with Public IP behind pfsense:

              That or 1:1 NAT.

              i don't think there is a way to publicly address a Server in a DMZ if the pfsense has a Subnet on WAN which contains that same IP of the server. - or am i wrong? (the Server needs a Public IP on the Interface)

              Yes, that will consume at least a /29 for the inside interface which would leave 3 available host addresses. A /28 leaves 11 host addresses.
              If you want to play in this space you have to pay.

              okay, that helps a lot and brings me closer to a solution.
              As far i do understand:

              • if i split my /27 into two /28
              • i can create the first /28 on the "WAN" side
              • and route the 2nd /28 with the L3-Switch over pfsense-WAN-CARP1
              • i create the 2nd /28 network called "PubDMZ" behind the pfsense

              BUT! what if i want to segment one of the network with /29? how can i configure the other interface with the size of /28 + the remaining /29 ? (75% of all IPs) is it even possible?

              thanks for the help

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by Derelict

                You said the /27 was routed to you. If that is the case you can do whatever you want with it.

                It should be routed to your WAN CARP VIP.

                If that is actually the case, here's an example:

                Routed Subnet: 198.51.100.96/27

                You use these as VIPs on WAN:
                198.51.100.96 - 198.51.100.119

                You number OPT1 like this:
                CARP: 198.51.100.121/29
                Primary: 198.51.100.122
                Secondary: 198.51.100.123
                Available for OPT1 hosts: 198.51.100.124 - 198.51.100.126

                If you want to use all of the space on inside interfaces, you have to do it on subnet boundaries. You could split it up like:

                OPT1: 198.51.100.96/28
                OPT2: 198.51.100.112/29
                WAN VIPS: 198.51.100.120 - 198.51.100.127

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • B
                  blackbinary
                  last edited by blackbinary

                  @derelict said in Server with Public IP behind pfsense:

                  You said the /27 was routed to you. If that is the case you can do whatever you want with it.
                  It should be routed to your WAN CARP VIP.

                  yes and no, that's not the entire story. the Subnet is delivered over a private transfer network twice.
                  https://www.dropbox.com/s/6bhc8bw6iye343i/wan.pdf?dl=0 <-- i made a small Visio.
                  (found a small error at pfsense slave interface ip is not .11 but .114)

                  is that setup possible ?

                  thanks for the help

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Yeah. As long as the network is routed to the CARP VIP you're good.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.