Multiple Public IP's
-
In the process of migrating from an old Cisco PIX to pfsense.
Installation was fine and I have basic WAN config up and working.
Now for the trouble…
My ISP provides me with a range of IP's from xxx.xxx.xxx.9 => xxx.xxx.xxx.21 subnet 255.255.255.224
xxx.xxx.xxx.9/27 is set as my WAN ip
I have an internal web server at 192.168.1.89.
Externally, it's address needs to be xxx.xxx.xxx.10
I set up a VIP with ProxyARP for the single address xxx.xxx.xxx.10, then created a NAT with:
Interface: WAN
External Address: xxx.xxx.xxx.10
External Port Range: 80
NAT IP: 192.168.1.89
Local Port: 80
Auto Add ruleIt creates a rule on the firewall to allow port 80 to pass through to 192.168.1.89.
As you might imagine, I'm posting because this setup isn't working. One thing I noticed was that in the ProxyArp config, I can't set a subnet for the IP address, it's stuck as 32. Shouldn't it need to be 27 for my 255.255.255.224 subnet externally?
Thanks
-
Use CARP! Even if you wont use the CARP capabilities, this works fine for me. You must enter some VIP Password (any you like, you won't need it anyway). Every Virtual IP must have different VHID Group. Leave Advertising Frequency on 0. When you're done go to NAT, use "Port forwarding", map your external IP (VIP's) to your internal IP. Done!
-
I would say use carp and split your range into 2 subnets, a wan and dmz zone for your public facing servers. I did the same for our network and it works great using carp VIP's although I am using the carp failover features as well.
-
Use CARP! Even if you wont use the CARP capabilities, this works fine for me. You must enter some VIP Password (any you like, you won't need it anyway). Every Virtual IP must have different VHID Group. Leave Advertising Frequency on 0. When you're done go to NAT, use "Port forwarding", map your external IP (VIP's) to your internal IP. Done!
MrPK: Thank you! I had been trying to use Proxy ARP VIPs for a few days now (thinking that I didn't use CARP, so it wouldn't work). After reading your post I setup my VIPs as CARP interfaces and they all work great! Thanks for the tip.
Cheers,
AR -
Use CARP! Even if you wont use the CARP capabilities, this works fine for me. You must enter some VIP Password (any you like, you won't need it anyway). Every Virtual IP must have different VHID Group. Leave Advertising Frequency on 0. When you're done go to NAT, use "Port forwarding", map your external IP (VIP's) to your internal IP. Done!
Just wanted to say THANK YOU… No matter how much I read, I could not figure this out until I saw this post... I have two public IPs I needed bound up to the external interface on my pfSense box, and two servers sitting on private LAN IPs on the backside... Didn't want to play around with CARP (haven't had time to sit down and really understand it) but your suggestions worked EXACTLY how I wanted them too!
Thanks again!
-
Perhaps I am missing something, because I don't understand why you would use CARP here. There appears to be no sharing/load balancing/failover involved.
This should work fine without CARP if you use 1:1 NAT instead of port forwarding.
Denny
-
Daemons cannot bind to proxy-arp type IPs. CARP allows daemons to bind and fixes a number of issues.
-
Daemons cannot bind to proxy-arp type IPs. CARP allows daemons to bind and fixes a number of issues.
Wouldn't the binding issue only apply if the web server were running on the firewall itself? I understood the the web server to be in the LAN segment.
Btw, what additional issues would CARP help with?
Denny
-
Use CARP! Even if you wont use the CARP capabilities, this works fine for me. You must enter some VIP Password (any you like, you won't need it anyway). Every Virtual IP must have different VHID Group. Leave Advertising Frequency on 0. When you're done go to NAT, use "Port forwarding", map your external IP (VIP's) to your internal IP. Done!
Thank you, MrPK. This solutoin solved my problems.
Just want to know what the difference is between CARP and Other in NAT 1:1 setting.
Please advise me.Thank you in advance.
