Multiple WAN with Static IPs DHCP assigned from ISP
-
@SteveITS
Yes they are all on the same subnet. -
We might assume then that you need to utilize these addresses on client devices behind your firewall?
What make and model of modem?
-
@chpalmer
Yes I need to use them as multiple gateways as well as to associate them with multiple services behind my firewall.Not sure what the manufacturer of the Modem, but it is in passthrough mode.
-
@frankyd3325 said in Multiple WAN with Static IPs DHCP assigned from ISP:
Not sure what the manufacturer of the Modem, but it is in passthrough mode.
I am curious if it could handle VLAN tagging..
Is this a cable ISP? DSL? ect..
-
@chpalmer
Fiber -
My SWAG is that you should be able to create several VLAN's and point them to the same interface. If nobody comes along with a better idea it might be worth trying just to see if it works.
-
@chpalmer
I will contact my ISP to see if they can setup Vlan Tagging and get back to this stream.Thank you so much for your time, I greatly appreciate it.
Lets hope this works.
Cheers
-
If VLAN Tagging is not an option is there any other option for 5 external IPs for my pfSense?
-
The Vendor is saying he doesn't know what VLAN tagging is and he just wants to see 5 MACs from 1 cable (The 10 Gbps cable).
Is there another option in case our session next week doesn't work(meaning he can figure out of to make their Modem VLAN tag?
Thank you anyone/everyone
Cheers
-
@frankyd3325 Is virtualization of pfsense not an option for you? If the machine you run pfsense on right now can support it, I'd say it's your cheapest option. Then a dual port 10G NIC will give you 5x WAN (virtualized with individual MAC's) and 10G LAN which can also run virtualized to support other servers running on Proxmox on 10G on the LAN side.
Otherwise I think you are looking at upgrading your existing setup to a 10G version of it... Given that your ISP is expecting to see 5 different MAC addresses in order to be able to deliver your IP's. And unfortunately using VLAN's don't give you the ability to present more than the MAC of the parent interface.
Your setup will also depend on what you want to achieve with the upgrade to 3Gbit from your ISP? Are you going to get 3Gbit shared between the 5 addresses or do you get 5 x 3 Gbit? If it's the latter, and you want to make use of all that bandwidth, you will need to upgrade on your LAN side as well. Meaning switches and NIC's on servers/devices, at least to something like 2.5 Gbit which is starting to look quite ok from a price perspective.
-
@Gblenn
What kind of performance lose is there with Virtualization... either Proxmox or VMware ESXi?Performance as in Network Activity and overall performance (VPN/encryption/total network traffic and flow?).
P.S. 3 Gbps total, not 3 for each of the 5 IPs for a total of 15 (That's be nice, but no).
Virtualization I would consider, just curious/scared at performance lose as we have 25 plus Vlans with all traffic going through the pfSense so total bandwidth and performance is a concern as well as all the VPN connections from clients and servers(Site- to Site).
Will virtualization take a hit and performance and bandwidth throughput ?
I know VMware very well and I've heard a lot of good things about Proxmox, is one better than the other for all out performance.
I am just concern putting a virtualization solution on bare metal for only 1 VM will be a performance lose... any opinions?
Again, thank you for all your help/advice
Thank You
-
@frankyd3325 I guess it depends on the HW you are using, but I would imagine you should have no trouble reaching 3Gbit at least. Now, unless you do upgrade your LAN side as well, that won't matter all that much since you will be limited to 1Gig on that side anyway...
I'm using Proxmox myself and have tested virtualized NIC's for pfsense but that was before I got my 10Gig connection. I had no trouble at all achieving 1Gig (950roughly) however and I don't think there is all that much overhead being added by the hypervisor.
It's one of those things where they really spent time and effort in optimizing things. Same thing goes for the CPU... I'm currently getting up to and above 8 Gig on Speedtest with Suricata enabled (legacy mode though).
In do have my NIC's passed through to pfsense though...I have no idea which one of Proxmox and VMware is best, I have been using Proxmox only. I assume they are pretty much on par, but I wouldn't know how to configure VMware. I suppose you would be able to get help in the virtualization section of this forum though.
-
-
this may be an odd question but.....
What about setting 2 pfSense boxes....The main box with all the required NICS and VLAN and rules and all configs......
Then 1 WAN 10 Gbps NIC.....
Going to a box with 2 10 Gbps NIC LAN/WAN setup in Bridge mode.....
WAN Nic going to ISP modem and internal LAN NIC split 5 ways to 5 VLAN going to the WAN NIC on the main pfSense and its 5 gateways and would that pass all 5 gateway MACs through the bridge pfsense to the ISP Modem ?
this may be a late evening idea, but maybe it could work....
Ideas / opinions ???
Thank You
-
@frankyd3325 said in Multiple WAN with Static IPs DHCP assigned from ISP:
The main box with all the required NICS and VLAN and rules and all configs......
Unless this box is upgraded 2.5 or 10 Gbit NICs, you will never get the throughput you pay for after upgrading to 3 Gbit.
The only way to get more speed through each gateway would be to either have 5 NICs with 2.5 or 10 Gig, or virtualized 10G as suggested. Virtualizing will most likely give you 3 Gigabit or close to it, depending on HW.
If you upgrade all the NIC's, you also need to upgrade the switch in that solution. All in all it will be quite costly I think, even if you stop at 2.5 Gigabit. Why not try out virtualizing and see what performance you get.
WAN Nic going to ISP modem and internal LAN NIC split 5 ways to 5 VLAN going to the WAN NIC on the main pfSense and its 5 gateways and would that pass all 5 gateway MACs through the bridge pfsense to the ISP Modem ?
It wouldn't, since multiple VLAN's on the same parent interface still means only one single MAC.
Also, just realized another thing... as it's come up in another thread...
Since all your IP's are the same subnet, they all share the same gateway at your ISP. This will not work since each of your WANs need a different gateway. I'm not sure how to resolve that part actually but some thoughts that involve a bit of tinkering with firewall rules, gateway monitoring and outbound NAT rules... -
@Gblenn said in Multiple WAN with Static IPs DHCP assigned from ISP:
@frankyd3325 said in Multiple WAN with Static IPs DHCP assigned from ISP:
Also, just realized another thing... as it's come up in another thread...
Since all your IP's are the same subnet, they all share the same gateway at your ISP. This will not work since each of your WANs need a different gateway. I'm not sure how to resolve that part actually but some thoughts that involve a bit of tinkering with firewall rules, gateway monitoring and outbound NAT rules...This would only be true if they were trying to utilize multiWAN failover or load balancing..
1:1 NAT should work fine, which I believe is the intent here. -
Currently on my pfSense (Building a new one for 10 Gbps)
But on my current setup, I have 5 NICs (1Gbps) going into a dumb switch, then that switch going to ISP modem.
That way the Moden can see all 5 MAC address on each of my gateways and with my ISPs DHCP assigned static IP, works great.
Yes I could reproduce that for 10 Gbps... but then I need a quad 10Gbps NIC plus another 1 x 10 Gbps NIC and a dumb switch that has minimum 6 ports all at 10 Gbps and well, thats over 1000$.
That is why I am trying to find another way and save 1000$ LOL (I'm funny that way... and poor).
Its just how to pass all 5 MAC to my ISP so it can assign my static IP.
I though I was on my way with the Vlan tagin idea (see previous posts above) but the expert at my ISP who has man, many years of experience doesn't know what VLAN tagin is so I am still investigation as I don't know if that is an option with my ISP.
-
@chpalmer said in Multiple WAN with Static IPs DHCP assigned from ISP:
This would only be true if they were trying to utilize multiWAN failover or load balancing..
1:1 NAT should work fine, which I believe is the intent here.Ok, so then there are no other steps necessary than getting things upgraded to 10Gig...