4. Routed /29 subnet from ISP and exposing services to internet

Routed /29 subnet from ISP and exposing services to internet

  • J

    I get a /29 routed subnet from my ISP (UNO UK if that helps) which I have assigned to a dedicated DMZ interface on Pfsense. There are NO hosts directly attached to the IPs on this interface.

    I want to use one of the IP address in the DMZ as a public LoadBalancer IP for
    some HTTP/HTTPS services

    The below is what I have done (and it doesn't work)

    Setup Load Balancer

    • Server POOL with three internal IPS say on 10.10.0.0/16 subnet
    • created a VIP on another interface as an internal load balancing IP say 192.168.10.10

    With the DNS pointed to this LB IP address, it is all fine. I can reach the three server nodes and do stuff. I am trying to get HTTP01 validation working for SSL certificates on these nodes and this will mean I need to set up a public IP address for this service.

    I set up the following

    1. Manual NAT and removed the rules that NATed my Routed Public /29 segment
    2. Port forwarded 80 and 443 on my PublicIP to the internal Load Balancer IP (192.168.10.10)
    3. Created an outbound rule to NAT 192.168.10.10 to my Public IP of the service
    4. Necessary firewalls rules to allow traffic on the wan interface

    Problem:

    The HTTP/HTTPS requests seem to be answered by the nginx on the pfsense firewall and not being forwarded to the load balancer. The Load Balancer does not seem to receive this request and the firewall logs don't show any rejection.

    Is this a right setup? Can someone suggest how a /29 subnet is normally setup in pfsense for exposing internal services to the internet?

    0 1 Reply
  • LAYER 8 Global Moderator

    @jkmuk said in Routed /29 subnet from ISP and exposing services to internet:

    how a /29 subnet is normally setup in pfsense for exposing internal services to the internet?

    By actually just routing it - ie you this /29 on a interface connected on your lan side of pfsense and just firewall rules to allow inbound and outbound traffic.

    Is how you would normally do it. Since your question really has nothing to do with that and your natting to private IPs - your questions should be in the load balancing section. Since that is what your question is about.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy