Using Public IPs on LAN
Hi people.. I have a really interesting problem. I tried so many way to solve this problem but I couldn't.. I use Pfsense firewall on my network. It works fine. Now we are trying to build a datacenter and i chose pfsense again. But I can't setup it:(
Firstly I want to give some information about my topology. I have so many public IPs and I want to use them in my LAN. So I don't want to use local private Ips.
I have a Public IP network 18.104.22.168/29 connected to the WAN port of Pfsense. And 22.214.171.124/24 Connected to the LAN port of Pfsense. I want to use 126.96.36.199/24 pool for my servers in LAN and want to that my customers can reach them with this IP addresses
It works but people can't reach my lan from wan. I research something on the internet found these ;
""If you're using public IP's on your LAN, or need to disable NAT for some other reason, enable advanced outbound NAT, under Firewall -> NAT, Outbound tab."""
""You need to disable NAT to use a public IP subnet on the LAN. Just enable Advanced Outbound NAT, and remove the automatically generated NAT rule to accomplish this. """ <–- and found this on doc.pfsense.org
But I tried all of these.. but still doesnt work.. My servers using Public 188.8.131.52/24 IPs on Lan but can't ping them from WAN.
I think I don't need to use NAT or some virtual Ip etc. Because I have enough public IP and I want to use them. I tried every NAT combination with full in/out pass firewall rules.. But still can't reach. Traceroutes can only reach 184.108.40.206 WAN port of pfsense.. and then it says reached firewall so timed out. I really don't know what can i do for this.. Can anybody help me please?
Keep in mind that even when disabling NAT, pfsense is still a firewall. Unless you put specific rules on the WAN interface to allow inbound traffic, it won't work.
I did set some rules for inbound Lan to wan and wan to lan * * * * all pass. are there any thing else that i may forget? if disabling nat and setting rules right it should work?
Oh, sorry, I misread. So, you have a /29 for WAN, of which 210 is the pfsense? Note that your subnet is not 220.127.116.11/24, it is 18.104.22.168/24, with the pfsense LAN interface having address 1. That said, are you sure you have default routes on the various LAN hosts pointing at the 22.214.171.124 IP? What happens if you run a packet trace on a LAN host when you try to connect?
Let me tell you every thing about this topology.
1- Cisco Router
Public IP 126.96.36.199
2- Pfsense Firewall
WAN port 188.8.131.52
WAN GW 184.108.40.206
LAN port 220.127.116.11
4- Server 2
IP : 18.104.22.168
And Pfsense LAN and WAN rules are all * * * * traffic pass.
Advanced Settings .Disable NAT Reflection Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports. <-- this settings box is checked.
and Advanced outbound NAT AON selected. and all NAT rules removed. Im pinging server 2 from wan.. but can't reach... I can reach Pfsense wan port IP 22.214.171.124 from WAN but i can't reach LAN port and Ip of pfsense...
You said earlier 'it works', which I take to mean hosts on the LAN can reach outside sites? If so, when you try to connect to an inside site, does anything show up in the pfsense filter log? blocked packets that is?
The hosts on Lan can't reach internet after disabled nat. If nat is enable hosts can reach outside. I didn't check filter logs. I will check it for some rule problem but I added a rule on LAN tab of pfsense panel. Source WAN protocol port etc any. target LAN pass, source lan protocol port etc any target LAN pass. And Added to WAN tab too Source wan protocol port etc any to LAN.
Did you clear the state table after making these changes? Reboot is probably a good idea too. It would be helpful to post the actual rules rather than describe them.
it is really interesting with this configuration. I can't ping 126.96.36.199 from pfsense shell. But i can ping pfsense lan interface 188.8.131.52 from 184.108.40.206's shell. This may be my problem. But I don't know why.. I think I checked all rules. couldn't see anything …
Does the cisco router know that 220.127.116.11/24 network should be routed to the WAN address of pfSense (18.104.22.168) ?
I assume so, or the traceroute would not have stopped at the WAN port. also, as i said, you can post the actual rules? not what you think you are doing…
I'm sure I have no problem at router side of the system. Because It works without pfsense. Also pfsense work as well when NAT is ENABLE!. I have two rules on Each interface. First WAN interface rule: Interface : WAN, Source : Any, Dest : Any, Proto : Any, Action : PASS.
Second WAN interface rule : Interface WAN, Source WAN Address, Dest : LAN addresss, Proto : any , Action : PASS.
First LAN interface rule : is default source LAN subnet dest internet action PASS <– this rule generated automatically.
I added second one to the LAN interface : interface LAN , source : any, Dest : any, Proto : any, action : PASS.
These are my rule settings.
And AON selected on NAT TAB and all automatically generated NAT rules has removed. <-- FAQ on Pfsense docs page.
All other settings are default. The clients reach internet only When NAT Enable. they reach but with not thair public ips..
when you disable the nat the clients can't reach internret. Let me tell you something about tracerouting. When i try traceroute from WAN to LAN the packets can reach only the wan port of firewall not more. When i try traceroute from LAN to WAN the packets only reach WAN port of the firewall again. and there are something interesting .. I can ping LAN port of Pfsense from a inside server. But Pfsense can't ping same server from its lan interface. I can ping pfsense WAN port from lan server but I can't ping Cisco router ..
I also tried some other ways .. I cleaned up the state table. tried some static route tried all possible rule combinations. are you sure that pfsense supports this task? or What should i set more. thank you
The CISCO router is probably doing ARP queries for 22.214.171.124/24 network on it's own LAN interface, that's why it works without pfSense in the mix. You'll probably have to change the CISCO configuration to forward 126.96.36.199/24 to pfSense's WAN address.
Hmm, I had assumed he was routing that /24 already. Is that the case?
Cisco router is only routing default 0.0.0.0 to 188.8.131.52(WAN side IP of Cisco MetroEthernet) do i need to add source 184.108.40.206/24 to GW 220.127.116.11(WAN of pfsense.) to the cisco router?
Yes, otherwise it has no idea where to send packets for the subnet.