Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Subnetting a /24 from the ISP to smaller subnets or single IPs(VLSM?)

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lonelynetworknoob
      last edited by

      I need some explanation. Today we just put all the IPs as aliases and then just NAT them (not using pfsense today, but linux with iptables). I want some of these public IPs to be directly available to servers behind the router/firewall (Which is going to be pfsense in the future).

      Today I would need to set a switch BEFORE the router and then just assign it. But I think it's a cleaner setup to have a single firewall cluster in-place and all the servers behind it. Both servers with NAT and public ips. Is my limited network experience making up stupid solutions here or what?  ???

      I'm thinking i would need to get my ISP to change its routing table, to say that my router/firewall has not the /24 they gave me, but /26, /27 or whatever i decide to create. Hopefully there's a way to do it without me talking to the ISP.

      I'm clearly confused on the matter. :)

      1 Reply Last reply Reply Quote 0
      • T
        thanatos2k
        last edited by

        If you need the public IPs on the LAN side of your router, you'll need to have your ISP set you up with a routed configuration instead of bridged like you have now. In a routed configuration, your router has a different WAN IP and your static class C as the LAN side. If you don't want to do that then the only way to get it done is with 1:1 NAT. pfSense is pretty good at making 1:1 NAT easy, basically the router just maps each public IP to the same 4th octet private IP, so if 123.123.123.0/24 is your range, then 123.123.123.1 –> 192.168.1.1, 123.123.123.2 --> 192.168.1.2, etc. You can use whatever firewall settings are appropriate for each individual IP. The only downside to this setup is that the servers themselves see their own IP addresses as 192.168.1.xxx, so if for example you have windows DNS with dynamic registration enabled that could cause problems.

        What are you running on the LAN side that needs to know it has a static IP? Maybe someone can help you set that up to work with the 1:1 NAT and then you won't have to get your ISP involved.

        "I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones." - A. Einstein

        1 Reply Last reply Reply Quote 0
        • L
          lonelynetworknoob
          last edited by

          I would like my Asterisk PBX box to have a public IP because the SIP protocols don't behave nicely behind nat. I also need a ftp server.

          Thanks for  clearing up on what i needed to do. I'll just connect these boxes to the switch before fpsense and then just enable iptables directly on the servers. And use NAT1:1 for whatever else i can.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.