5-static IPs Looking for basic setup help

pf123user · Jun 23, 2011, 10:08 PM

Hello,
I'm a very new user to PF Sense. I have installed 123 on server-grade hardware with 8 interfaces. I have 5 static IPs from my ISP and need to assign each of the IPs to an interface. My IPs range from .178-.182. I would like each of the internal subnets (??) to be 10.xx.178.10 through 10.xx.182.10.

I have assigned the WAN .178 (with gateway of .1) and assigned the LAN 10.xx.178.10 and can successfully reach the internet, apply rules, port forwarding, etc.

It is my understanding that I now need to go into "Firewall >> VIP >> Type=Other" and assign each of my interfaces (OPT2-OPT6) a single address IP (such as .179/32). Under the "Other" type only single address comes up as a choice.

I have assigned
WAN = .178/24 with GW .1
LAN = 10.xx.178.10/24

RULES… WAN has block private & bogon networks too

WAN RULE = Proto = *, Source = *, Destination = Interface IP, Port = *, GW = *, Schedule = blank

LAN RULE = Proto = *, Source = *, Dest = *, Port = *, GW = * (Default LAN->any rule)

What I don't understand is if I need to assign my VIPs to the WAN interface or to the optional interfaces and I don't know if my Optional Interfaces should be assigned LAN 10.xx.178.11 IPs or if they should each be their own IPs (LAN = 10.xx.178.10, Opt1 = 10.xx.179.10, Opt2 = 10.xx.180.10, Opt3 = 10.xx.181.10, Opt4 = 10.xx.182.10)

I understand basic NAT and Firewall Rules but I'm not expert by any means. I've used dd-wrt and Linksys/Cisco hardware but this is my first solo attempt at pfsense.

Are there default rules for this? my ISP (Verizon) is telling me to configure my network as following:

ONT (box on wall) >>> 8-port gig hub >>> 5 ports run to 5 seperate routers each on own external static IP. Not only is this a bear to operate and maintain but this does not allow IPs to share resources (such as common printers or NAS on the LAN), etc.

What I want to do is:

ONT (where FiOS goes in and copper goes out) >> PFSense WAN which passes all five IPs through to the LAN and OPT1-4.

Conceptually I think I'm there but I think I'm getting hung up between the 1:1 NAT and fw Rules. Also having trouble with what I need to assign the interfaces (LAN addresses or unique addresses) and where/how I assign VIPs (Interfaces or on the WAN).

Thx for any help.

pf123user · Jun 24, 2011, 10:00 PM

I've done a bunch of work and made some progress. If I phrase a few questions could someone possibly answer?

I can't 1:1 NAT 5 external IPs to LAN + OPT1 to OPT4.

#1 - do I assign the VIPs to the WAN interface?

#2 - do I assign the OPT1 - OPT4 interfaces INTERNAL LAN ip addresses or each their own unique address?

#3 - my ISP gave me /24 GW (255.255.255.0 & xxx.xxx.xxx.1). Do I need to assign the VLANs /24 or /32 IPs?

Thx for any feedback.

Metu69salemi · Jun 24, 2011, 10:10 PM

do you need to have access from wan to lan, do you have servers or something like that?
if you only need to have from lan(lan,opt1-opt4) to wan then simple manual outbound nat's is enough with carp vips.

Create vips, carp is the one you can use
Check that lan and every opt port has its own subnet
Create manual outbound nat rules for every subnet(lan, opt1-opt4) to vip's and that one should use hardware ip address.
3.1) Check that automatically created rule is below any other rule.

And we're using our own freetime when we have it.. so we may not answer right away.

pf123user · Jun 25, 2011, 11:16 PM

@Metu69salemi:

do you need to have access from wan to lan, do you have servers or something like that?
if you only need to have from lan(lan,opt1-opt4) to wan then simple manual outbound nat's is enough with carp vips.

Create vips, carp is the one you can use

Check that lan and every opt port has its own subnet

Create manual outbound nat rules for every subnet(lan, opt1-opt4) to vip's and that one should use hardware ip address.
3.1) Check that automatically created rule is below any other rule.

And we're using our own freetime when we have it.. so we may not answer right away.

I didn't mean to sound ungrateful - just thought I'd rephrase so that it was easier to answer.

No, I don't have servers - I have 5 seperate businesses or small offices that I need to essentially push the external static IPs through the PF Sense box to an individual interface that has a unique internal and external IP and a unique DHCP table.

The office is shared/incubator space so there is a need to open up cross-network resources such as common printers or building/office property management intranet page, etc.

Do I assign the VIP to the interface or to the WAN address?

Thanks,

EDIT: Also - do I assign the Interfaces unique IP ranges such as 10.xx.1.1, 10.xx.2.1, 10.xx.3.1, etc. or do the Optional Interfaces need to have LAN IPs?

Thanks again,

Metu69salemi · Jun 26, 2011, 8:01 PM

Sorry for my previous message, it was bit late time to write that one.

use own subnets / interface, it's easier to understand which network client is talking etc.
First thing you need to do is design network and after that you can create it ;)

You can create own dhcp servers per interface and why not per vlan.
Yes assign that for wan interface, when you create that

pf123user · Jun 28, 2011, 3:40 AM

I think I'm fine with the network but having problems with the internet.

I can not assign VIPs to my other IP addresses. For starters, do I need ProxyARP, CARP or Other?

Second, I know how to enable/disable pings… I can assign my LAN to whichever IP address per my ISP's information and it works, I get in & out, can ping, etc.

I can not ping my VIPs so it seems as though I am assigning them incorrectly or not properly setting them up. I have a block of 5 consecutive IPs, I assume I assign the lowest number to the WAN and then use 4 VIPs for the rest?

I saw many vague examples of how to direct blocks of external IP addresses to static LAN addresses but have found very little on how to assign 5 external IPs to the one WAN interface and then have them branch out into 5 (LAN + OPT1 + OPT2 + OPT3 + OPT4) interfaces in a 1:1 NAT.

Metu69salemi · Jun 28, 2011, 4:13 AM

If you have all the external ip's in same subnet you can use carp type, like you have quoted me..
if you dont have those in same subnet you should use other type.

Could you please read my previous messages, there i've explained how to get it done

pf123user · Jun 28, 2011, 5:04 AM

I feel like a jacka$$ for wasting your time on the forum. Turns out that my ISP (FiOS) had an issue on their end… something to do with cross-connect going from their static to their DHCP servers and I was unable to access multiple IPs from one MAC address. I really don't understand because I don't think they do either.

All set - problem solved and things are as straight forward as any other ISP.

Thank you very much for the replies. I appreciate them since I was stumped and kicked back to n00b status.

New question - Are there multiple logins into the web gui/interface? I have 5 IPs and each goes to a different company. Is it possible for me to give company #3 a unique login from company #2? So that each can log in and screw up their individual IPs but not the overall pfsense box?

Thx!

Metu69salemi · Jun 28, 2011, 5:12 AM

That is something where i can't give any answers, but i'm also interested. at least you can have multiple users and multiple groups and you can give lot of different rights.

jikjik101 · Jun 28, 2011, 5:22 AM

As far as I know, this one can be done. Go to System>User Manager. This is for pf2.
@pf123user:

New question - Are there multiple logins into the web gui/interface? I have 5 IPs and each goes to a different company. Is it possible for me to give company #3 a unique login from company #2?

But for this, I am not sure. I would also like to know how.
@pf123user:

So that each can log in and screw up their individual IPs but not the overall pfsense box?

jimp · Jun 28, 2011, 3:37 PM

You can have multiple users for the GUI in 2.0, but permissions are given on a per-page basis, not a per-setting/per-interface basis. So if you give someone access to the interfaces page, they can get all of the interfaces not just "theirs".

pf123user · Jul 3, 2011, 4:45 AM

@jimp:

You can have multiple users for the GUI in 2.0, but permissions are given on a per-page basis, not a per-setting/per-interface basis. So if you give someone access to the interfaces page, they can get all of the interfaces not just "theirs".

Thanks for the reply. I have VZN FiOS 150/65 with 5 external static IPs (same ONT and shared bandwidth) and one TWC static 50/5 backup (which I will try to load balance/failover tomorrow).

We have 5 businesses in our office, all of which have seperate compliance, risk, etc. I would ideally like to have 5 logins who can each see only their "stuff" (and access shared resources I put on an additional "common" interface).

Additionally (and I haven't tought this out fully yet), since I only have one backup IP (not a corresponding block of 5 external IPs) is it possible to setup isolated blocks of port forwarding on the failover line and keep those seperate or if my primary ISP goes down will everyone be able to see eachother on the secondary ISP? (I understand Rules Vs. NAT and internally they will stay seperate… I'm asking about external access in.)

re: multi user logins... 2.0 is the only option? with 123 only one admin is possible?

Thx very very much for the responses and help so far. It is much appreciated.