Subnetting a /24 from the ISP to smaller subnets or single IPs(VLSM?)



  • I need some explanation. Today we just put all the IPs as aliases and then just NAT them (not using pfsense today, but linux with iptables). I want some of these public IPs to be directly available to servers behind the router/firewall (Which is going to be pfsense in the future).

    Today I would need to set a switch BEFORE the router and then just assign it. But I think it's a cleaner setup to have a single firewall cluster in-place and all the servers behind it. Both servers with NAT and public ips. Is my limited network experience making up stupid solutions here or what?  ???

    I'm thinking i would need to get my ISP to change its routing table, to say that my router/firewall has not the /24 they gave me, but /26, /27 or whatever i decide to create. Hopefully there's a way to do it without me talking to the ISP.

    I'm clearly confused on the matter. :)



  • If you need the public IPs on the LAN side of your router, you'll need to have your ISP set you up with a routed configuration instead of bridged like you have now. In a routed configuration, your router has a different WAN IP and your static class C as the LAN side. If you don't want to do that then the only way to get it done is with 1:1 NAT. pfSense is pretty good at making 1:1 NAT easy, basically the router just maps each public IP to the same 4th octet private IP, so if 123.123.123.0/24 is your range, then 123.123.123.1 –> 192.168.1.1, 123.123.123.2 --> 192.168.1.2, etc. You can use whatever firewall settings are appropriate for each individual IP. The only downside to this setup is that the servers themselves see their own IP addresses as 192.168.1.xxx, so if for example you have windows DNS with dynamic registration enabled that could cause problems.

    What are you running on the LAN side that needs to know it has a static IP? Maybe someone can help you set that up to work with the 1:1 NAT and then you won't have to get your ISP involved.



  • I would like my Asterisk PBX box to have a public IP because the SIP protocols don't behave nicely behind nat. I also need a ftp server.

    Thanks for  clearing up on what i needed to do. I'll just connect these boxes to the switch before fpsense and then just enable iptables directly on the servers. And use NAT1:1 for whatever else i can.


Locked