Help with Multiple WAN IPs and vLANs
-
Hi All,
I want to host a server from home with DNS etc... I've had my ISP assign me a /29 which I'd added to the Virtual IPs. What I don't understand is how this works on the network. For example...
I know as it's an external IP I open ports to each IP by port forwarding. However, what I don't understand is which vLAN it's allocated to?
I have multiple vLANs and I want to be sure if this server was compromised it's locked out from the rest of the network.
So do I create a whole new vLAN and assign the port on the switch to that vLAN and it's as simple as that? If so, when creating the vLAN in pfSense do I assign the vLAN to the WAN interface or the LAN interface like the other vLANs?
Thanks for the help, it's just a new venture so I'm a little confused about the setup.
-
@dwren78 Your WAN address is part of this /29 ?
If it is you'd need to do a 1:1 NAT.
https://docs.netgate.com/pfsense/en/latest/nat/1-1.html
-
Hey, no I have a main IP from BT (I have FTTP if that matters) and an additional /29.
Just not entirely sure the best way to go about it.
Thanks.
-
@dwren78
The virtual public IPs are not allocated to any vLAN. You assign them to the WAN interface and can use it in port forwarding rules or on pfSense itself to provide services like OpenVPN.Port forwarding also has nothing to do with vLAN separation. You can allow each vLAN access to other internal subnet or even only to the internet.
-
Hi Guys,
I managed to get this working by doing the following:
In "Firewall > Virtual IPs" I added the /29 as a single block rather than one entry for each IP and selecting "Other" for "Type".
Created a new vLAN for the new server
In "Firewall > NAT > Outbound" I created 2 sets of rules. Firstly a rule for each specific vLAN I wanted to use a specific external IP (because something BT don't tell you if you lose your original and single static IP that comes with your connection when you purchase another block. So that took care of the new static IP.
Then I created another rule for each remaining static IP from Source IP (external) to Translate to the same IP. Then whichever IP I assign to a device on that vLAN it will use that one.
Next, in "Firewall > NAT > Port Forward" I opened the ports for incoming.
And Lastly, in the vLAN Firewall Rules I opened the traffic outbound.
It appears to be working as I've kept my NAT on each vLAN with an external static IP and the other vLAN for the server is using the external IPs.
-
if the /29 is routed to you you can use it directly on an internal interface. All the IPs would then be on that interface.
https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html#small-wan-ip-subnet-with-larger-lan-ip-subnetIf they are just additional IPs on the WAN then you would need to use port forwards or 1:1 NAT. In that case the IP you are forwarding traffic to would determine which interface/subnet it is.
Steve
-
Whilst i'm not entirely sure the difference between them being routed to me and additional IPs, I do think they are additional IPs as I have a main IP and then a /29 block.
It also sounds like what I have done is the NAT scenario you mentioned as it's working and I need to use Port Forwarding to open the ports and the Outbound NAT to specify the IPs.
-
Nothing wrong with doing that. If it's working as required then you're good!
Steve
-
Cheers pal, it’s nice to get confirmation i’m not doing anything wrong that might make it insecure or something else :)