Routed /29 subnet from ISP and exposing services to internet



  • I get a /29 routed subnet from my ISP (UNO UK if that helps) which I have assigned to a dedicated DMZ interface on Pfsense. There are NO hosts directly attached to the IPs on this interface.

    I want to use one of the IP address in the DMZ as a public LoadBalancer IP for
    some HTTP/HTTPS services

    The below is what I have done (and it doesn't work)

    Setup Load Balancer

    • Server POOL with three internal IPS say on 10.10.0.0/16 subnet
    • created a VIP on another interface as an internal load balancing IP say 192.168.10.10

    With the DNS pointed to this LB IP address, it is all fine. I can reach the three server nodes and do stuff. I am trying to get HTTP01 validation working for SSL certificates on these nodes and this will mean I need to set up a public IP address for this service.

    I set up the following

    1. Manual NAT and removed the rules that NATed my Routed Public /29 segment
    2. Port forwarded 80 and 443 on my PublicIP to the internal Load Balancer IP (192.168.10.10)
    3. Created an outbound rule to NAT 192.168.10.10 to my Public IP of the service
    4. Necessary firewalls rules to allow traffic on the wan interface

    Problem:

    The HTTP/HTTPS requests seem to be answered by the nginx on the pfsense firewall and not being forwarded to the load balancer. The Load Balancer does not seem to receive this request and the firewall logs don't show any rejection.

    Is this a right setup? Can someone suggest how a /29 subnet is normally setup in pfsense for exposing internal services to the internet?


  • Rebel Alliance Global Moderator

    @jkmuk said in Routed /29 subnet from ISP and exposing services to internet:

    how a /29 subnet is normally setup in pfsense for exposing internal services to the internet?

    By actually just routing it - ie you this /29 on a interface connected on your lan side of pfsense and just firewall rules to allow inbound and outbound traffic.

    Is how you would normally do it. Since your question really has nothing to do with that and your natting to private IPs - your questions should be in the load balancing section. Since that is what your question is about.