[Subnet ABC -> Static IP#1, Subnet D -> Static IP#2] -> WAN

  • So I have a network with the following subnets:

    10.0.0.x (call this A)
    10.0.1.x (call this B)
    10.0.2.x (call this C)
    10.0.255.x (call this D)

    I want to make ABC run through static IP#1, and D run through static IP#2. How do I do this under Virtual IP / 1:1 NAT? Please forgive me for lack of understanding – I am learning at this and am an amateur with these things. Thanks!

    Under Interfaces->WAN I have it configured to static IP#1, so right now ABCD all run under static IP#1. The subnets/gateways for the IPs are the same, and both end with /25. All I need to do is get D to run under static IP#2.

    Under Firewall->NAT->1:1 I made an entry with the following settings:
    Interface: WAN
    External subnet: staticIPtwo/32
    Internal subnet:
    Did I do this correctly? Will this work?

    [13:57] <joe-mac>in pure pf, it'd be something like match out from to route internet nat-to whateverip
    [13:57] <joe-mac>of coiurse that requires using route labels, 'route internet' could be a macro or interface network etc
    [13:57] <joe-mac>I'm not entirely sure how to do that in the interface, look for a nat rules section, should be pretty standard fare
    [13:57] == Morphje [~Morphje@morphje.xs4all.nl] has joined ##pfsense
    [14:03] == Jippi [~jippignu@x1-6-60-33-4b-2e-fb-5c.k47.webspeed.dk] has joined ##pfsense
    [14:09] <bluetoast>I am not quite sure where/how to do that
    [14:09] == ganbold [~ganbold@] has quit [Remote host closed the connection]
    [14:10] <bluetoast>one sec, let me try to see if I can do this on Firewall->NAT->Outbound
    [14:12] <joe-mac>sounds like it to me
    [14:16] <bluetoast>meh
    [14:16] <bluetoast>under Virtual IP
    [14:16] <bluetoast>I created an entry for staticIPtwo/32
    [14:17] <bluetoast>then under Firewall->NAT->Outbound
    [14:17] <bluetoast>I created an entry with subnet source
    [14:17] <bluetoast>with any destination
    [14:18] <bluetoast>translation to staticIPtwo/32 that I created in Virtual IP page (in the list there is Network interface, staticIPtwo, any)
    [14:18] <bluetoast>(which is why I had to make the entry in Virtual IP page so that it would show up in the drop down)
    [14:18] <bluetoast>Network interface: I take it that it means it will use the settings from Interfaces->WAN
    [14:19] <bluetoast>Right now "Automatic outbound NAT rule generation (IPsec passthrough)" is enabled
    [14:19] <bluetoast>unfortunately, nothing is working (my laptop is in subnet for testing)
    [14:19] <bluetoast>internet works fine.. but I get staticIPone from ipchicken.com
    [14:20] <bluetoast>and I want to get staticIPtwo on this subnet
    [14:20] <bluetoast>so… now I will enable manual outbound NAT rule generation
    [14:21] <bluetoast>Nope, doesn't work
    [14:21] <bluetoast>internet doesnt load
    [14:21] <bluetoast>:(
    [14:23] <bluetoast>What should I try?
    [14:23] <joe-mac>yea I know how to fix problems like this in pf but not through the pfsense interface, I'm new at the interface
    [14:23] <bluetoast>ah
    [14:23] <bluetoast>:
    [14:23] <joe-mac>also, not sure if it's using the old style nat/rdr or the new ones
    [14:23] <bluetoast>Using pfSense 1.2.3
    [14:23] <joe-mac>around 4.7 obsd or so nat and rdr rules were drastically changed, idk how that matches up to pfsense
    [14:23] <oz4ga>remember that pfsence uses quick
    [14:24] <oz4ga>that is first match not last as pf normally does</oz4ga></oz4ga></joe-mac></bluetoast></joe-mac></bluetoast></bluetoast></joe-mac></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></bluetoast></joe-mac></bluetoast></bluetoast></joe-mac></joe-mac></joe-mac>

  • Ok, so this is how it is done:

    Your pfSense box has WAN, LAN, and OPT1 ports (at least three RJ45/ethernet ports). You want to put a switch between your WAN and cable modem, plug OPT1 into that switch (so that both WAN and OPT1 go to the same switch).

    Goto Interfaces->OPT1 and set the page up EXACTLY like Interfaces->WAN. The only two things that should be different here is the General configuration->MAC address and IP configuration->IP address. MAC address should be the MacID of your OPT1 port that you can find on the Interfaces->Assign page. IP address should be your second/other static IP address that your ISP gave to you as part of your internet subscription plan with them.

    Call up your ISP and have them whitelist the MacID for your OPT1 port on your second/desired static IP address (something like 00:00:00:00:00:00 on the Interfaces->Assign page). This static IP address must be one that your ISP gave to you as part of your plan/contract/subscription with them, and is generally only available via business subscriptions (these are usually also year-based contracts like mobile/cell phones and then goes month-to-month after the minimum contract time expires). After your ISP whitelists the MacID of OPT1 for your second/desired static IP address, wait until the changes on the ISPs end are actually applied to their servers (technician should tell you over the phone after he whitelists the MacID).

    Goto Firewall->Virtual IPs, create an entry. Use the following settings:
    Type: Proxy ARP
    Interface: WAN
    IP Address(es): Type: Single address
    IP Address(es): Address: <the static="" ip="" address="" you="" want="" to="" use="" for="" computers="" on="" 10.0.255.x="">Goto Firewall->NAT->Outbound and create a new entry. Use the following settings:
    Interface: WAN
    Source: Type: Network
    Source: Address: / 24
    Translation: Address: <the static="" ip="" address="" you="" setup="" in="" virtual="" ips="" page="">(EDIT: You will have to create another entry like the above, but for You will need to make sure that this is at the bottom of the Outbound page's list, as pfSense will apparently override the latter in the list; entry at top overrides entry at bottom.)

    Open two tabs to http://www.ipchicken.com/. In pfSense, Apply changes. In the second tab to ipchicken.com, hit F5 (or CTRL+F5 or click on "Current IP" in the website's menu). It should come up and show that you are now using your second/other static IP address (assuming your machine has a 10.0.255.x LAN IP address). Machines whose IP is not in the 10.0.255.x subnet will use the static IP address you have configured for WAN under Interfaces->WAN.

    Summary of what is accomplished: I have two static IP addresses and everything runs through the first static IP address. All I wanted to do was run a specific LAN subnet (10.0.255.x workstations) through the second IP address.

    With this, I can use OpenDNS to block social networking websites on the first static IP address – so basically for the entire company. On the second static IP address, OpenDNS would too be used, but without blocking social networking websites -- so the company CEO and special VIPs would have unfiltered internet while still having the redundancy, speed, safety and security of OpenDNS. In OpenDNS you can filter per IP address, so just add your two static IP addresses as /32 (single address) blocks and apply the filtering of your desires to each of them as you please. :)</the></the>

  • Ok, well, for some reason it is and isn't working. A 10.0.255.x machine gets the second static IP instead of the first IP when going to ipchicken.com. However, despite having nothing filtered on the second static IP through OpenDNS, the filtered content set for the first static IP is applying to everyone (including 10.0.255.x machines).

    I think I may have done it wrong. I get the sneaking suspicion that staticIPtwo should be going through OPT1 and not have anything to do with the interface labeled WAN.

    Sigh. This isn't working like I want it. This is what I want in the end:

    FYI: Every device on the network has a static IP address. The only machines that truly get served by DHCP are i.e. personal laptops connected via RJ45

    For now I have just manually set CEOs machine to use ISP DNS. :( Works, but very dirty and improper way to do it. Sad now.

  • I know why it didn't work.

    The DNS server would be the pfSense box, and the pfSense box is configured to use OpenDNS – which by default nature is through the WAN port, hence why when setting filtering options on StaticIP#1 on OpenDNS' website would "apply" to StaticIP#2 machines as well. DNS queries (and DNS filtering) would be performed through WAN rather than being split and queried from the same interface (OPT1) as the NAT-Outbound assigned static IP.

    I think the only two solutions (which one of them really isn't as it does not exist as a feature in pfSense) would be (1) vLAN setup via managed switch (we have an HP ProCurve 4000) or (2) configure pfSense so that DNS queries from the subnet that is set to go through OPT1/StaticIP#2 to also make DNS queries to OpenDNS through the same interface rather than through WAN.

    EDIT: I think there needs to be an option under Virtual IPs or better so under NAT->Outbound for entries to manually specify DNS servers that said subnet(s)/IP would use (or if it should make DNS queries through selected interface as well).

Log in to reply