Router setup for weirdos like me
-
I struggle a bit, because I heavly use public static IP-addresses given to me by ISP. Let's say I have gotten 255 public static IP-addresses /24 assign to a line provided by me by my ISP in the data center. I can just plug a single server (or whatever) to the network cable, take one of these static IPs on it and have internet in/out in seconds.
What is the general way to do is? I always have to "fight" different router and firewall vendors and can't use such a simple setup out of the box. Why is this? I had a Fortiguard firewall before, that had "transparent firewall" where it all worked out of the box - now the price is like 4000 euro for one and you need expensive subscription to get updates (so it is cheaper to buy a new box eaach year..).
Let us say you have a range 77.30.1.1-77.30.1.254 IP-addresses available on the WAN-side (of a router or firewall) from the ISP at the data center. Inside your network LAN, maybe you have 200 virtual machines (on different hypervisors or servers) that you want to deliver/assign public IPs to. Yes, I could have only local DHCP-IP on the LAN side giving each vm 192.168.1.44 IP - and then add a NAT-rule for 77.30.1.44->192.168.1.44. But then I would need to type that line maybe 200 times. And it will be Public IP->Router/FW->Local IP->Public IP tanslation for NAT.
Keep in mind that 99% of the servers/equipment is public webservers and mailservers. If I had 200 internal servers and only 3 public webservers, it would not make a big sense what I do.
In one situation, my ISP provided me with what they called a "transport layer", where I got a small /26 subnet on the WAN side and could use the public /24 range IPs on the LAN-side (with all equipment using the local router as gw). Then I could use traditional setup with all features. Is there a way to "fake" this even in those cases I haven't been assigned this transport-network by my ISP, to be able to use most commercial routers/firewalls easier without having to thing about bridges/transparent firewall-issues?
What if I just used a 10.10.0.1 IP on the WAN side, with pointing to the gw of mine ISP? Or does it need some techical setup by my ISP to "connect" it?
My main goal with the router/fw is to filter IP-addresses/ports and also some port isolation. No VLAN used.
-
@fireix said in Router setup for weirdos like me:
If I had 200 internal servers
Lets forget IPs here - if you want to nat use 1:1 - you don't have to clickly click through 200 setups.
Or sure route your /24..
Im just curious what box your going to run, that would be able to handle the bandwidth that 200 some servers are going to use.. Are they all sharing 1gig?
So even if you just setup a bridge and did a transparent L2 firewall - I am curious how your going to deal with 200 some servers bandwidth, limited down when you run all their traffic through pfsense? Your going to have 1 wan physical interface at what speed? 1, 10, 25, 40??
-
@fireix Usually the public subnet is much smaller than a /26, like a /29, since you only need a handful of addresses...WAN, WAN gateway, and maybe two more if using HA/CARP. But whatever works... :)
If your WAN is an IP in the /26 then your LAN subnet can be the /24 and all your servers get a public IP address. pfSense "knows" how to route that and you can set up firewall rules to control traffic. NAT is not used in this scenario.
If you don't want to use their /26 then 1:1 NAT would forward traffic to the private LAN IPs.
I suppose whether a 10.x.x.x subnet will work depends on your ISP, they may not route private IPs on their network. I have actually seen ISPs that do that on their own network to save IPs, it just means people can't use the same subnet on their LAN.
-
Your isp is @large with allocations.
Use the /26 on your wan ans the /24 on your lan.
Normal routing here, nothinf fancy.No nat, no bridging, nothing special.
Use dhcp on your lan and distribute ip's with static allocations if you want to keep everything in one.All filtering can be done on pf wan, even though this won't be the case if this is a hosting env.
Having said that, if your public facing hosts are also prone to attack each other behind your firewall, then you also need to segment your internal public zone.
-
So sorry guys, I didn't mean /26 for the "transport network". I ment /29, I only have a 5-6 IPs as a "solution". I have a business where I run pfSense with this setup. For 12+ years or so, I used Fortigate/Fortinet firewall, but been using pfSense for maybe last 6 years (with transparent setup/bridge, - it worked, until some problems appeared and people suggested to just use pfSense with transport layer /29 on the WAN-side to solve it). With 3 years on this special solution with transport network /29 on WAN-side and /24 on LAN-side, it has given me pretty good uptime.
Yes, a 1 gig line is more than powerful enough, actually using around 10-30% of that at max :) We are talking webservers, wordpress-sites, some non-cloud software and nothing super crazy. Trustworthy servers/clients with software fw on each device (and I have access to them all) - with IDS software to help detect any unwanted activity and usually Configserver or similar with strict setup on each. This way, I haven't needed to learn subnetting or routing, only the fun parts and license would work good on the cpanel/wordpress servers that binds to the IP (maye it would work with NAT and having local IPs on them - but I suspect it would mean a lot more work). I would never started this business it it wasn't for Fortinet and their simple transparent fw, big learning curve :)
So that's the history. You might ask why I'm not an expert network person after all these years, but the truth is that it started as a side business and I just learned whatever I could to keep me afloat - and no time to really learn it from the ground - and I still find network outside my scope super hard. I meet myself in the door now that I have a 2nd location with backup gear and some other stuff. There is limitation on power (expensive), so I can't have a full blown setup with devices (have a Mikrotik now) and tries to keep the number of units down. I need to have vms that can be spin up and get an static IP with their own public IP as outgoing.
I don't have /26 on my wan available, at best I can ask for a /29 (I do have the /24 just as now for both WAN/LAN), but I guess I can't have that same network on both sides with normal routers as it would work against how routers/most fw work). But there isn't a way I can have a self-made local IP on the WAN-side I guess? ;) I was hoping it was enough that it had a gw to the ISP, that I could just enter their upstream gw. I need my ISP to somehow "put" an extra/different network on my line? It is also part of the story that I get two network plugs from them (redundancy), where they switch traffic for me if one of their switches goes down.
So your reccomended solution: Ask my host on backup-site for a dedicated /29 (transport network just for "show"), put that on the WAN-interface and use my /24 public static IPs on the inside. Then setup full NAT and it should automatically route this out with their public static IP. That should be universal/best solution for all kind of routers/fw?
-
@steveits said in Router setup for weirdos like me:
I suppose whether a 10.x.x.x subnet will work depends on your ISP, they may not route private IPs on their network. I have actually seen ISPs that do that on their own network to save IPs, it just means people can't use the same subnet on their LAN.
Ok, so maybe an option if they allow. Anyway, I would need their permission/setup, it wouldn't work for me to just create a 10.x private on the WAN just to "fool" the router/fw to allow me to use my /24 public network inside. Thanks :)
-
@fireix Im totally confused.
You used to have fortigate, then you switched to pfsense and now you need a second backup site to host the same public facing services from another location?Nat is the last of your worries in any case.
-
@fireix said in Router setup for weirdos like me:
Ask my host on backup-site for a dedicated /29 transport network
Yes that is by far the simplest (and best) solution if you can get it. And you really should be able to in a data center. Just have them route the /24 to you and you can use that directly on the LAN. No NAT required.
Steve
-
@fireix said in Router setup for weirdos like me:
I always have to "fight" different router and firewall vendors and can't use such a simple setup out of the box. Why is this?
Because you have an interface subnet not a proper transport network with the subnet routed to you there.
-
@netblues said in Router setup for weirdos like me:
@fireix Im totally confused.
You used to have fortigate, then you switched to pfsense and now you need a second backup site to host the same public facing services from another location?Nat is the last of your worries in any case.
Sorry to confuse you :) No, it is not the exact same services, it has different purpose - but it is similar in setup to what I have been doing for years (similar in the way that I mostly have public servers and not having private-ip-space). I have a OK setup today, but I would like an easier solution for this new site since I need to setup this site from scratch. I would like to simplify it compared to the Fortinet/pfSense-solution I have been running so far.
-
@stephenw10 said in Router setup for weirdos like me:
@fireix said in Router setup for weirdos like me:
Ask my host on backup-site for a dedicated /29 transport network
Yes that is by far the simplest (and best) solution if you can get it. And you really should be able to in a data center. Just have them route the /24 to you and you can use that directly on the LAN. No NAT required.
Steve
Yeah, that's what I basically have now, they publish the IP to the two network ports they have made available. So I can plug that cable into a switch and live well. But I do want a firewall (filter on IP-address and ports). In most cases, they seem to want me to have different network on each side (except "transparent" fortigate appliances - and even pfsense when configured with bridge and by disabling nat, just a bit more complicated for me) .
-
@fireix Why do you think you can’t have firewall rules? Allow from any to LANIP:443 etc.
Routers need different networks on interfaces so they know where to route. :) Bridges don’t route.
-
@fireix said in Router setup for weirdos like me:
they publish the IP to the two network ports they have made available.
That's not the same as routing it to you via a transport subnet/IP which is what you should be asking for.
-
@stephenw10 said in Router setup for weirdos like me:
@fireix said in Router setup for weirdos like me:
they publish the IP to the two network ports they have made available.
That's not the same as routing it to you via a transport subnet/IP which is what you should be asking for.
Ok, so you mean that it is the best solution? It is what I have at my original place. Just wondered if there is an way to do it without asking for more IP-ranges. And why do only devices like Fortigate provide this kind of mode.. Seems like Sopheus also have it documented. I have this limited separation need, would love to just put the device into the WAN->LAN and having it behave as a fw instead of having to do hacks and tricks ;) Just power on, choose the firewall rules on IP and tcp/udp-ports and run. Right now, I have tried for hours to put in a Unify USGX Pro into a line just to add some protection, but instead having to learn so much. It is always a detail I miss, like sometimes hidden nat-rules are added - or special things needed for each different vendor.
-
@fireix said in Router setup for weirdos like me:
Ok, so you mean that it is the best solution?
That's what I would choose over anything else if it's available.
You absolutely can configure pfSense as a transparent firewall if you need to it just requires some care. There is no 'transparent mode' button. It's easy to lock yourself out if the firewall if you don't have a separate management interface.
Steve
-
@stephenw10 said in Router setup for weirdos like me:
@fireix said in Router setup for weirdos like me:
Ok, so you mean that it is the best solution?
That's what I would choose over anything else if it's available.
You absolutely can configure pfSense as a transparent firewall if you need to it just requires some care. There is no 'transparent mode' button. It's easy to lock yourself out if the firewall if you don't have a separate management interface.
Steve
Having a seperate IPMI-network comes in handy in those situations :)
For not-that-technical users, I would think it would be a very welcoming thing to have an easy method to enable transparent fw. But having tons of public webservers maybe not the exact average users do.
Thanks for your help and advice :)