16 ips /28 subnet on wan interface.
I am new to PF SENSE and this is my concept.
I have 1 WAN, 1 LAN and 1 OPT interface.
My provider gives me 16 static ips (/28 network) for my example xxx.xxx.xxx.96/28.
So my wan interface has the ip xxx.xxx.xxx.98 and my provider has xxx.xxx.xxx.97 which is my gateway for my static wan interface.
My Lan has 192.168.3.0/24 subnet.
My OPT interface is not in use (till now).
What I want to do is to give real Ips (ex. xxx.xxx.xxx.101 , 102 …) to some devices inside my network.
How can I do that? I am confused with the meaning of virtual ips, aliases, CARP, proxy ARP etc.
Do I have to use my spare OPT interface with bridge?
I want to give them full access to outside world with a static real ip for each one and I do not care if they can communicate with the 192.168.3.0 Lan Subnet.
Since your ISP has given you a router that holds the xxx.xxx.xxx.96/28 network your best option is probably to bridge OPT1 to WAN and use the public IPs on hosts connected to OPT1 net. Note: the hosts on the OPT1 net must use xxx.xxx.xxx.97/28 as their gateway, not the pfSense WAN address.
You could use private IPs on OPT1 net and use the public IPs as virtual IPs (proxy arp or CARP) on WAN interface combined with port forwards/outbound nat or 1:1 NAT but those configurations tend to be messy, just my opinion.
I did the first solution that you propose and I could access the internet from the host and the host from internet. Although I have a teleconference appliance (linux based) that is not working !!! I can ping the device from the internet and the device can access the internet. But when I try a teleconferencing call it is not working.
I tried the same teleconference device behind a simple adsl router with a static ip and it works !
When this device dials the receiver shows the ip xxx.xxx.xxx.xxx:7020 .
When I use pfsense the receiver rings but it doesn't show the port (7020) and the call cannot be established.
Even if you are bridged, you still need rules allowing inbound traffic to specific ports. Have you set that up?
Yes. I can ping from both sides. I wonder if my provider is doing something…
I didn't ask if you can ping, I asked if you had rules to allow connection to the port(s) you need.
I opened everything (*) from any.
If I am reading you correctly, you are saying that calls work if initiated from inside the firewall, but not for inbound calls?
I call from inside, the other side rings after 20-30 seconds (too late, the normal is 2-3 seconds) and I answer but the communication is not established.
When I try with a simple adsl router behind a simple isdn with static ip,
I call from inside, the other site can see the ring in 2-3 seconds and the port 7020 after the caller ip and the answer works correctly.
Okay, I think I see. Can you do a packet capture on the WAN port, do a call from inside, stop the capture, and look for packets relevant to the host you are calling from?
I will try it tomorrow morning when I'll be at my client again. Thank you very much for your interest and your help.
Finally it worked with bridged interfaces !!!!! THE PROBLEM WAS THAT MY PROVIDER BLOCKED THE SIP RANGE !!!!!
Now the only thing tha is not working and this time is not my provider's fault is that the port 5060 is blocked. I have any any rule so I wonder why…
Everything is ok. The port 5060 was blocked from the teleconference device.
So it works perfectly now with OPT bridged to WAN and assigning the static ip to the teleconference.
Also PASS rule to OPT and Wan is needed.