Route new public /29
I've gotten a new /29 from my ISP in a different subnet. My WAN is configured with xxx.xxx.182.145/30 and the new block is xxx.xxx.176.40/29.
I was able to setup nat with virtual IP's on the new IP block to get things working, all I had to do other than VIP's was enter a static route for .40/29 via .182.145.
One of those new IP's needs to be direct connected without using NAT. I've configured the static IP on my server of .176.41, added a separate vlan300 to my server (other 2 IP's go over vlan400 to a public wireless interface on the pfSense via NAT), switches, and pfSense, and assigned .46 to the pfSense DMZ interface with a gateway of the 182.145. I then turned on AON and left the default rule in place.
Internet browsing off the default gateway on the LAN is fine and I can ping from the server IP of .41 to the .46. I can't get anything to come in, I've put a rule on the DMZ side to allow all ICMP traffic to the .46 and can't ping in. My default gateway on the server is an internal router and traceroutes show it directly hitting the .46 so I know (pretty sure) the internal config is right.
Wan - .182.145/30 –- DMZ - .176.46/29
LAN - 192.168.x.x Server - .176.41
How do I get the public IP's to be visible from the outside? I've tried removing the static route and also doing an allow all from any to DMZ Subnet on the DMZ interface, neither have worked. Thanks for any help you guys can provide!
Here's how I would tackle your issues…
Firstly, you shouldn't need any static routes to achieve what you want.
The server with the public ip directly assigned should be on a vlan that is bridged with the WAN interface.
If you are using AON, you will also need a rule in there for the DMZ.
You do not mention NAT and firewall rules. Do you have those in place for the ports you want to forward to the DMZ?
Also, the bridged interface passes through the firewall filter so you will need rules in place for that.
Hope this helps
I didn't think to bridge it with the WAN, by doing so and keeping AON on, I won't need to NAT, just add firewall rules right? I'll give that a try. Thanks!
Edit: Just to make sure I still need AON since I can't NAT the IP correct?
Sure, just a firewall rule for the bridged ip. I was thinking of NAT for your DMZ.
You might get away without AON. I only tend to use it when I have multiple WANs.
It worked! I do have AON on, but probably don't need it. Thanks so much for the help!
I posted another topic on this new "side-effect" I'm experiencing. Twice now I've started getting this message:
kernel: arplookup x.x.x.41 failed: host is not on local network
And my second subnet becomes inaccessable via the rules I've provided directly to the public IP's on the servers. However NAT rules still work.
Any thoughts on this? The first time I did it, I fiddled with the DMZ stuff, unbridged, rebridged, rebooted, and it worked, this time it won't start working at all.