How to route multiple public IPs?
-
Let's imagine we have leased the imaginary 223.122.15.33/27 subnet from an ISP. (FYI, this imaginary subnet ranges from 223.122.15.33 to 223.122.15.62)
Imagine we have a bunch of servers to each of which we'd like to assign a public IP from our designated subnet.
If we were in charge, you would create virtual IPs for each server and put them behind NAT, but we are not in charge, someone else is, and they want what they want.
223.122.15.33 is ISP's router's IP address, and 223.122.15.34 belongs to the pfSense box.
How would you configure the router to make this work seamlessly? Would you bridge two interfaces or go for another solution?
-
@scilek said in How to route multiple public IPs?:
How would you configure the router to make this work seamlessly?
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html
Keep in mind there is a difference between a network being routed to you, ie your /27 and being directly attached to this /27 - if its routed to you what you ask is simple - see the above link.
if your directly attached, the solution would be either to bridge this network through to the devices you put on the /27 or nat them..
-
The network is definitely routed; most probably connected to the ISP switch along with the ISP router. This is a datacentre.
What was asked of me was to put pfSense in between the servers and the ISP router so that:
- traffic could be logged
- there is some sort of control over the access to the servers.
And the solution was obvious: a routing bridge.
But I did not know how to make that happen until now. You edit two values in the System->Advanced section:
net.link.bridge.pfil_member -> 0 net.link.bridge.pfil_bridge -> 1It worked. Thank you very much.
-
@scilek said in How to route multiple public IPs?:
And the solution was obvious: a routing bridge.
You mean a transparent firewall - sure you could do that but if its routed I would actually route it, just create allow rules and log them..
-
@johnpoz said in How to route multiple public IPs?:
You mean a transparent firewall
OK, "a transparent firewall" it is.
if its routed I would actually route it, just create allow rules and log them..
And that's what I've done, a first for me.
-
Couldn't you also do this with some custom specific need outbound NAT(s)
-
I told them it would be a safer practice to create a virtual IP for each server behind the firewall and NAT them, but they said they wanted it their way.
He who pays the piper calls the tune.
-
I was thinking everything had all turned out to be great in the end. But yesterday, the owner of the said router placed a complaint to the ISP that they occasionally lost connectivity to his router (and the machines behind it) and today the ISP replied along with some unnerving information.
Apparently the reason why the owner lost connection was that the port the pfSense router was connected to on the ISP switch would occasionally get turned off to mitigate an "unknown storm". They don't know what it is exactly, but were kind enough to attach a screenshot:
I don't know what make/model this switch is. Could pfSense be causing this? What can I do about it?
-
@scilek coudl be your isp not liking the pings every half second that the monitor does??
The size is normally set to 0, so it shouldn't be a problem - but that is the first thing that came to mind.. You can adjust the frequency of how often monitor goes out.
You can ask them what is sort sort of traffic would trigger that.. There would be settings on their switch for what is considered a storm.
-
@johnpoz said in How to route multiple public IPs?:
@scilek coudl be your isp not liking the pings every half second that the monitor does??
Oh, yes. That could be the reason. I have been pondering and could not think of anything on pfSense that could be causing the issue. I was thinking it might be one of the servers behind the firewall. I'll check that later at night.
@johnpoz said in How to route multiple public IPs?:
You can ask them what is sort sort of traffic would trigger that.. There would be settings on their switch for what is considered a storm.
That I did, through the owner, I mean. The ISP should provide more specific data before any action is taken. They turned of unicast storm protection on the port, to see if it is a broadcast or multicast storm. We'll see.
-
@scilek well pfsense shouldn't wouldn't be sending any broadcast or multicast.. I would have to assume unicast of some sort, the ping is the only thing I could think.. But sure it could be something behind pfsense causing it, but not broadcast or multicast.
I sure wouldn't consider a ping every 1/2 second a "storm" but maybe they have something in place for number over a period of time sort of thing?
If they were triggering on the pings, that would be a very aggressive storm control..
I would hope as well if they were seeing traffic from your connection that triggered something like that - they should notify you with exact details of the traffic that triggered it - so you could address it. You shouldn't have to contact them on why your connection went out if they are the one that killed your connection.
-
@johnpoz said in How to route multiple public IPs?:
If they were triggering on the pings, that would be a very aggressive storm control..
Right. But this is not the kind of ISP that serves home users. They run datacentres that also provide connectivity to the national ISP's backbone. Considering how tight the security is nowadays, it sounds probable that their device settings might be a bit too sensitive.
-
@scilek 2 pings a second.. That seems pretty freaking insane to me - but sure its possible, and the only thing that comes to mind that pfsense send on its own that is repetitive and constant.
There really should be pretty much zero broadcast or multicast coming off of pfsense.