Multiple Public IPs Assigned directly to machines

rby

Hi Guys,

Newbie here, sorry not sure if I've assigned this to the correct category.... :)

I've just been allocated some additional static IP's by my ISP. I had asked for a /29 but they just allocated me 5 IPs, anyway.

Basically what I'm trying to do is assign each IP directly to a server (different servers of course). I don't want port forwarding, I want the actual server IP to be one of the static IP's.

I also want the traffic going outbound to appear as if its coming from that static IP (not the WAN IP of pfsense)

The inbound stuff is fine, I've sacrificed one of my 5 IPs and created OPT1 - given OPT1 the first IP in my allocation.
I've then attached a server to OPT1 and set its IP to the 2nd IP in my allocation with the gateway set to OPT1's address.
I've added a firewall rule and now the server can see the internet, inbound is also fine. Where I run into issues is that the server is just using the WAN IP for outbound stuff (if i run curl ifconfig.me for example it returns my WAN IP, not the servers static IP)

I've read a heap of articles saying I need to setup Outbound NAT rules but every time i try to do that the server loses internet access for some reason. Just not really sure whether the IP's should have been setup as Virtual IP's (if so what type), how NAT comes into this, etc.

If someone wouldn't mind giving me some guidance that would be fantastic and really appreciated.

Thanks in advance.
Ben

johnpoz

How exactly did they "route" these 5 ips to you?

You can not put a netblock behind pfsense unless its routed to you.. If you want devices behind pfsense like that you would have to bridge -- uggghhh!

Or just do like any sane person and 1:1 nat the vips you create on your wan with these new IPs you got...

And yes you would create outbound nat to the different vips if you want server A to use IP X, and B to use Y outbound.

rby

@johnpoz

Sorry, not really sure I know how to answer that one. They are routed somehow though as they're resolving from the outside world.

If I did 1:1 nat the servers would not be directly assigned a static IP, they'd have an internal IP mapped to the VIP?

Really looking to have the servers assigned the static IP directly, is there a way to do this?

I'm sure I had this exact setup a number of years back, just can't for the life of me find the tutorial i was following nor remember how I did it!

johnpoz

If the IPs are actually "routed" to you which I highly doubt with just 5 ip.. Which are inside the netblock on your wan currently or some other IPs?

If they would of given you an actual routed network, then they would of given you the network and mask - not just 5 ips you could use..

Yes if the block is routed to you - its as simple creating an interface on pfsense for that network. And then creating the firewall rules to allow the traffic you want inbound on your wan which is where the netblock would be routed to you. Then just making sure you turn off outbound nat for the net network behind pfsense.

If the netblock is not routed to you - then you HAVE to nat or bridge..

How exactly did they give you these IPs and what is the last octets? Did they actually route a /29 to you and just forgot 1 IP?

I can not see them routing /32 to you - that would just be nuts.. To send the 5 ips to your current wan IP.

rby

@johnpoz

Hi John, thanks for replying again.

So just to clarify, what you're saying is if they actually gave me a proper /29 allocation i would be able to do what I'm wanting to do but you're thinking that they've just grabbed 5 free IP's out of a pool and assigned them to me?

I don't think they ended up giving me a /29 - as I said in the first post, I did request a /29 but ended up with 5 IPs...

Do you mind if I PM you the actual IP's they gave me? (don't really want to post them publicly.)

Thanks,
Ben

johnpoz

sure send them in a PM, also what is your current WAN ip and mask?

BigAl

@johnpoz Hi John,

You said "Yes if the block is routed to you - its as simple creating an interface on pfsense for that network. And then creating the firewall rules to allow the traffic you want inbound on your wan which is where the netblock would be routed to you. Then just making sure you turn off outbound nat for the net network behind pfsense."
I have a routed /24 and this is what I would like to do as I don't want to use static NAT as I'd have to change the IPs of my servers.

I was considering a Netgate appliance for pfSense but on reading the getting started instructions it says "Warning
The default LAN subnet on the firewall is 192.168.1.0/24. The same subnet cannot be used on both WAN and LAN, so if the subnet on the WAN side of the firewall is also 192.168.1.0/24, disconnect the WAN interface until the LAN interface has been renumbered to a different subnet."

This suggests to me that I can't do what you suggest because it will be the same subnet on both WAN and LAN.

I'm completely new to pfSense and may have completely misunderstood the manual. Any advice gratefully received.
Many thanks, Al.

johnpoz

Huh? No a router can not have the same networks or overlapping networks on multiple interfaces, ie its wan and lan..

But if the /29 is routed to you this would never be the case since your wan would be the transit network and wouldn't overlap with your routed /29

This has zero to do specific with pfsense - and is just basic 101 routing.

Here lets do an example...

isp .1 --- 1.2.3.0/30 --- .2 wan pfsense opt .1 --- 4.5.6.0/29 --- devices .2, .3, .4 etc..

And sure pfsense could also have lan network in 192.168.1.0/24

Now your isp routes 4.5.6.0/29 to your 1.2.3.2 address.