Using Public IPs on LAN



  • Hi people.. I have a really interesting problem. I tried so many way to solve this problem but I couldn't.. I use Pfsense firewall on my network. It works fine. Now we are trying to build a datacenter and i chose pfsense again. But I can't setup it:(

    Firstly I want to give some information about my topology. I have so many public IPs and I want to use them in my LAN. So I don't want to use local private Ips.

    I have a Public IP network 94.0.88.208/29 connected to the WAN port of Pfsense. And 94.0.128.1/24 Connected to the LAN port of Pfsense. I want to use 94.0.128.1/24 pool for my servers in LAN and want to that my customers can reach them with this IP addresses
      It works but people can't reach my lan from wan. I research something on the internet found these ;

    ""If you're using public IP's on your LAN, or need to disable NAT for some other reason, enable advanced outbound NAT, under Firewall -> NAT, Outbound tab."""

    ""You need to disable NAT to use a public IP subnet on the LAN. Just enable Advanced Outbound NAT, and remove the automatically generated NAT rule to accomplish this. """ <–- and found this on doc.pfsense.org

    But I tried all of these.. but still doesnt work..  My servers using Public 94.0.128.1/24 IPs on Lan but can't ping them from WAN.
    I think I don't need to use NAT or some virtual Ip etc. Because I have enough public IP and I want to use them.  I tried every NAT combination with full in/out pass firewall rules.. But still can't reach.  Traceroutes can only reach 94.0.88.210 WAN port of pfsense.. and then it says reached firewall so timed out. I really don't know what can i do for this..  Can anybody help me please?



  • Keep in mind that even when disabling NAT, pfsense is still a firewall.  Unless you put specific rules on the WAN interface to allow inbound traffic, it won't work.



  • I did set some rules for inbound  Lan to wan and wan to lan * * * * all pass.  are there any thing else  that i may forget?  if disabling nat and setting rules right it should work?



  • Oh, sorry, I misread.  So, you have a /29 for WAN, of which 210 is the pfsense?  Note that your subnet is not 94.0.128.1/24, it is 94.0.128.0/24, with the pfsense LAN interface having address 1.  That said, are you sure you have default routes on the various LAN hosts pointing at the 94.0.128.1 IP?  What happens if you run a packet trace on a LAN host when you try to connect?



  • Let me tell you every thing about this topology.

    1-  Cisco Router
          Public IP 94.0.88.214
    –------------------------------
      2-  Pfsense Firewall
          WAN port 94.0.88.210
          WAN GW  94.0.88.214
          LAN  port 94.0.128.1

    3-  Server 1
          IP : 94.0.128.5
          GW: 94.0.128.1

    4-  Server 2
          IP : 94.0.128.6
          GW: 94.0.128.1

    ....

    And Pfsense  LAN and WAN rules are all * * * * traffic pass.
    Advanced Settings .Disable NAT Reflection    Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports.  <-- this settings box is checked.

    and Advanced outbound NAT  AON selected. and all NAT rules removed.  Im pinging server 2 from wan.. but can't reach...  I can reach Pfsense wan port IP 94.0.88.210 from WAN  but  i can't reach LAN port and Ip of pfsense...



  • You said earlier 'it works', which I take to mean hosts on the LAN can reach outside sites?  If so, when you try to connect  to an inside site, does anything show up in the pfsense filter log?  blocked packets that is?



  • The hosts on Lan can't reach internet after disabled nat. If nat is enable hosts can reach outside. I didn't check filter logs. I will check it for some rule problem but I added a rule on LAN tab of pfsense panel.  Source WAN protocol port etc any. target LAN pass,  source lan protocol port etc any target LAN pass.  And Added to WAN tab too Source wan protocol port etc any to LAN.



  • Did you clear the state table after making these changes?  Reboot is probably a good idea too.  It would be helpful to post the actual rules rather than describe them.



  • it is really interesting with this configuration. I can't ping 95.0.128.5 from pfsense shell. But i can ping pfsense lan interface 95.0.128.1 from  95.0.128.5's shell.  This may be my problem. But I don't know why.. I think I checked all rules. couldn't see anything …



  • Does the cisco router know that 94.0.128.0/24 network should be routed to the WAN address of pfSense (94.0.88.210) ?



  • I assume so, or the traceroute would not have stopped at the WAN port.  also, as i said, you can post the actual rules?  not what you think you are doing…



  • I'm sure I have no problem at router side of the system. Because It works without pfsense.  Also pfsense work as well when NAT is ENABLE!. I have two rules on Each interface. First WAN interface rule:  Interface : WAN,  Source : Any,  Dest : Any, Proto : Any, Action : PASS.
    Second WAN interface rule :  Interface WAN,  Source WAN Address, Dest : LAN addresss, Proto : any , Action : PASS.

    First LAN interface rule :  is default  source LAN subnet  dest internet action PASS  <– this rule generated automatically.
    I added second one to the LAN interface :  interface LAN , source : any,  Dest : any, Proto : any, action : PASS.

    These are my rule settings.
    And AON selected on NAT TAB and all automatically generated NAT rules has removed. <-- FAQ on Pfsense docs page.
    All other settings are default.  The clients reach internet only When NAT Enable. they reach but with not thair public ips..
    when you disable the nat  the clients can't reach internret. Let me tell you something about tracerouting. When i try traceroute from WAN to LAN  the packets can reach only the wan port of firewall not more.  When i try traceroute from LAN to WAN the packets only reach WAN port of the firewall again.  and there are something interesting ..  I can ping LAN port of Pfsense from a inside server. But Pfsense can't ping same server from its lan interface. I can ping pfsense WAN port from lan server  but I can't ping Cisco router ..

    I also tried some other ways  .. I cleaned up the state table. tried some static route tried all possible rule combinations. are you sure that pfsense supports this task?  or What should i set more. thank you



  • The CISCO router is probably doing ARP queries for 94.0.128.0/24 network on it's own LAN interface, that's why it works without pfSense in the mix. You'll probably have to change the CISCO configuration to forward 94.0.128.0/24 to pfSense's WAN address.



  • Hmm, I had assumed he was routing that /24 already.  Is that the case?



  • Cisco router is only routing  default 0.0.0.0 to 212.156.88.1(WAN side IP of Cisco MetroEthernet)  do i need to add  source 94.0.128.0/24 to GW 94.0.88.210(WAN of pfsense.) to the cisco router?



  • Yes, otherwise it has no idea where to send packets for the subnet.


Locked