Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Multiple Public IPs Assigned directly to machines

    HA/CARP/VIPs
    3
    8
    496
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rby last edited by

      Hi Guys,

      Newbie here, sorry not sure if I've assigned this to the correct category.... :)

      I've just been allocated some additional static IP's by my ISP. I had asked for a /29 but they just allocated me 5 IPs, anyway.

      Basically what I'm trying to do is assign each IP directly to a server (different servers of course). I don't want port forwarding, I want the actual server IP to be one of the static IP's.

      I also want the traffic going outbound to appear as if its coming from that static IP (not the WAN IP of pfsense)

      The inbound stuff is fine, I've sacrificed one of my 5 IPs and created OPT1 - given OPT1 the first IP in my allocation.
      I've then attached a server to OPT1 and set its IP to the 2nd IP in my allocation with the gateway set to OPT1's address.
      I've added a firewall rule and now the server can see the internet, inbound is also fine. Where I run into issues is that the server is just using the WAN IP for outbound stuff (if i run curl ifconfig.me for example it returns my WAN IP, not the servers static IP)

      I've read a heap of articles saying I need to setup Outbound NAT rules but every time i try to do that the server loses internet access for some reason. Just not really sure whether the IP's should have been setup as Virtual IP's (if so what type), how NAT comes into this, etc.

      If someone wouldn't mind giving me some guidance that would be fantastic and really appreciated.

      Thanks in advance.
      Ben

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by johnpoz

        How exactly did they "route" these 5 ips to you?

        You can not put a netblock behind pfsense unless its routed to you.. If you want devices behind pfsense like that you would have to bridge -- uggghhh!

        Or just do like any sane person and 1:1 nat the vips you create on your wan with these new IPs you got...

        And yes you would create outbound nat to the different vips if you want server A to use IP X, and B to use Y outbound.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

        R 1 Reply Last reply Reply Quote 0
        • R
          rby @johnpoz last edited by

          @johnpoz

          Sorry, not really sure I know how to answer that one. They are routed somehow though as they're resolving from the outside world.

          If I did 1:1 nat the servers would not be directly assigned a static IP, they'd have an internal IP mapped to the VIP?

          Really looking to have the servers assigned the static IP directly, is there a way to do this?

          I'm sure I had this exact setup a number of years back, just can't for the life of me find the tutorial i was following nor remember how I did it!

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by johnpoz

            If the IPs are actually "routed" to you which I highly doubt with just 5 ip.. Which are inside the netblock on your wan currently or some other IPs?

            If they would of given you an actual routed network, then they would of given you the network and mask - not just 5 ips you could use..

            Yes if the block is routed to you - its as simple creating an interface on pfsense for that network. And then creating the firewall rules to allow the traffic you want inbound on your wan which is where the netblock would be routed to you. Then just making sure you turn off outbound nat for the net network behind pfsense.

            If the netblock is not routed to you - then you HAVE to nat or bridge..

            How exactly did they give you these IPs and what is the last octets? Did they actually route a /29 to you and just forgot 1 IP?

            I can not see them routing /32 to you - that would just be nuts.. To send the 5 ips to your current wan IP.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

            R B 2 Replies Last reply Reply Quote 0
            • R
              rby @johnpoz last edited by

              @johnpoz

              Hi John, thanks for replying again.

              So just to clarify, what you're saying is if they actually gave me a proper /29 allocation i would be able to do what I'm wanting to do but you're thinking that they've just grabbed 5 free IP's out of a pool and assigned them to me?

              I don't think they ended up giving me a /29 - as I said in the first post, I did request a /29 but ended up with 5 IPs...

              Do you mind if I PM you the actual IP's they gave me? (don't really want to post them publicly.)

              Thanks,
              Ben

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                sure send them in a PM, also what is your current WAN ip and mask?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                1 Reply Last reply Reply Quote 0
                • B
                  BigAl @johnpoz last edited by

                  @johnpoz Hi John,

                  You said "Yes if the block is routed to you - its as simple creating an interface on pfsense for that network. And then creating the firewall rules to allow the traffic you want inbound on your wan which is where the netblock would be routed to you. Then just making sure you turn off outbound nat for the net network behind pfsense."
                  I have a routed /24 and this is what I would like to do as I don't want to use static NAT as I'd have to change the IPs of my servers.

                  I was considering a Netgate appliance for pfSense but on reading the getting started instructions it says "Warning
                  The default LAN subnet on the firewall is 192.168.1.0/24. The same subnet cannot be used on both WAN and LAN, so if the subnet on the WAN side of the firewall is also 192.168.1.0/24, disconnect the WAN interface until the LAN interface has been renumbered to a different subnet."

                  This suggests to me that I can't do what you suggest because it will be the same subnet on both WAN and LAN.

                  I'm completely new to pfSense and may have completely misunderstood the manual. Any advice gratefully received.
                  Many thanks, Al.

                  1 Reply Last reply Reply Quote 0
                  • johnpoz
                    johnpoz LAYER 8 Global Moderator last edited by johnpoz

                    Huh? No a router can not have the same networks or overlapping networks on multiple interfaces, ie its wan and lan..

                    But if the /29 is routed to you this would never be the case since your wan would be the transit network and wouldn't overlap with your routed /29

                    This has zero to do specific with pfsense - and is just basic 101 routing.

                    Here lets do an example...

                    isp .1 --- 1.2.3.0/30 --- .2 wan pfsense opt .1 --- 4.5.6.0/29 --- devices .2, .3, .4 etc..

                    And sure pfsense could also have lan network in 192.168.1.0/24

                    Now your isp routes 4.5.6.0/29 to your 1.2.3.2 address.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post