Do I need a router? ISP Provides WAN and "LAN" ips? (LAN ips are my Public IPs)



  • We just received a gigabit fiber circuit and I'm struggling with configuring pfsense.

    The ISP has given us WAN and LAN IP's but this is somewhat misleading as the LAN IPs are actually the public IPs.

    The WAN is a /30, basically the link from our building to their building.

    The LAN is a /27, giving us 28 useable IPs.

    ISP has provided the following information:

    NETWORK:

    WAN - xxx.xxx.82.216/30

    LAN -  yyy.yyy.38.224/27  (useable IPs  xxx.xxx.38.226 -254)
    Subnet Mask: 255.255.255.224
    Gateway:  yyy.yyy.38.225

    Pfsense works if I setup the WAN link using xxx.xxx.82.218 as interface IP with xxx.xxx.82.217 as the gateway.   But that is not utilizing the 28 public IPs.

    Am I forced to put a router in front of pfSense?  Router would use the WAN IP information, and pfSense would use the LAN IPs…

    I would rather NOT have to buy another piece of equipment so I would like to see if I can use Virtual IPs to solve the issue???

    Possible issue:  the WAN and LAN blocks have different gateways and /netmasks



  • Because that is continous block of ip's you have possibility to use PARP, CARP and VIP's for extra ip's and can have 1:1 nat or manual outbound nat for another tasks



  • WAN ip has to be the /30 to create link to ISP…

    I have 6 other interfaces on the pfSense... I am using these 6 interfaces for various things, but all are "small LANs".  I would like each of these LANs to browse the web using different IPs... Would I use PARP for that?



  • You can use it like that



  • Didn't work… I think the issue is that the public IPs need a different gateway/netmask than the WAN interface...  How to do this?  GRRRR.  Can someone hold my hand here?



  • If you were dealing with a router, it would be configured like this.

    WAN IP: xxx.xxx.82.218
    Netmask: 255.255.255.252 (/30)
    Gateway: xxx.xxx.82.217
    Network: xxx.xxx.82.216
    Broadcast: xxx.xxx.82.219

    LAN IP: yyy.yyy.38.225
    Netmask: 255.255.255.224 (/27)
    Gateway: None
    Network: yyy.yyy.38.224
    Broadcast: yyy.yyy.38.255

    Routing across interfaces must be enabled.

    You plug a switch into the LAN port you have 29 usable IPs - yyy.yyy.38.226-yyy.yyy.38.254 available.

    (Routed subnet of 32 IPs) - (1 IP for Network) - (1 IP for Broadcast) - (1 IP for Router) = 29 usable IP addresses

    Any of the addresses yyy.yyy.38.225-yyy.yyy.38.254 could be used as the router LAN IP. But it is customary to use either the first (yyy.yyy.38.225) or the last (yyy.yyy.38.254) of the 30 available IP addresses.

    One machine plugged into the switch could be configured like this.

    IP: yyy.yyy.38.226
    Netmask: 255.255.255.224 (/27)
    Gateway: yyy.yyy.38.225
    Network: yyy.yyy.38.224
    Broadcast: yyy.yyy.38.255

    This is how routed service works. A router configured as above is not a firewall. There is no NAT and no use of private IP addressing. All IP traffic from the internet destined to any of your routed subnet IP addresses will arrive on the WAN port, go freely across to the LAN port onto the switch and arrive at any machine having one of your usable IP addresses.

    Any OS that can route IP across interfaces configured as above would be a router. (Windows NT or later, Linux, any BSD, etc.)

    I'm not sure what happens when you put a pfsense box there. It may or may not route across interfaces without a rule on the LAN interface to allow it.



  • Gderf,

    In your reply, that would visually look like this correct?

    ISP (xxx.xxx.82.217) <–-> (xxx.xxx.82.218) <wan>My Router <lan>(yyy.yyy.38.225)  <---> (yyy.yyy.38.226) <wan>  pfSense <lan>(192.168.1.1)  <---> (192.168.1.2) My Switch <----> 192.168.1.x Clients

    Somewhere on the router some "voodoo magic" happens with a bridge or something where it pushes the yyy.yyy.38.224 /27 traffic ACROSS the xxx.xxx.82.216 /30 network.

    QUESTION:  Is it possible to accomplish this WITHOUT A ROUTER?  Basically I want to combine the "My Router" and "pfSense" above into JUST pfSense appliance???</lan></wan></lan></wan>



  • Pfsense can work as router if you remove natting(manual outbound nat)
    just remove natting rules and you have a router

    you may want to adjust lan ip-address and dhcp server settings also



  • There is no "voodoo magic" involved. The way to think about what a router is is that it is a device that connects two networks. You have a /30 connected to a /27. That's all it does. That's all it needs to do.

    Service like you have almost always comes with a provided router, or a list of qualified equipment that lets you shop for one yourself. Were you offered any options for this?

    How many public IP addresses do you actually need and do you want any of them on your computers? Or do you want only private IPs on your computers?



  • Thanks for your help.

    They offered a managed router service but wanted $600/mo extra for this + $x,xxx.xx to set it up.  I turned this down because I have this working at another site using only pfsense - but the ips are on the same network…  I didn't know we would get p2p /30 that we had to route across.

    I know pfsense can be a router - but then I lose NAT.  What I don't know is if it is an either/or situation or can I have both?

    I don't need any machines to have a public ip.  All will be private ip for now.  What I want is to have each of my lans NAT out different public ips (yyy.yyy.yyy.yyy)



  • If you want only to have internal ip's then normal automatic nat rule should be enough. it maps 192.168.1.1/24 -> x.x.x.128 /30 in this case

    What is problem then?



  • @Metu69salemi:

    If you want only to have internal ip's then normal automatic nat rule should be enough. it maps 192.168.1.1/24 -> x.x.x.128 /30 in this case

    What is problem then?

    Yes, simply setting the pfSense WAN port to xxx.xxx.82.218 and pointing it to the proper gateway ip of xxx.xxx.82.217 does create a useable link.  NAT works fine here for my LAN clients.

    The PROBLEM, is that this is not what I need.

    I have 8+ interfaces on my pfSense hardware.  I'm only using 3 right now (until I can figure this out, i'm stuck with 2).

    em0 = WAN  (xxx.xxx.82.218 /30)

    em1 = Corp LAN  (192.168.1.x /24)

    em2 = Guest WiFi  (172.16.1.x /24)

    Right now, em1 and em2 can browse the internet fine using NAT – The problem is em2 is a "guest wifi" network.

    We use IP Authentication to servers in a data center.  So our em1 LAN (corp network) is browsing the internet from xxx.xxx.82.218 IP.  We whitelist that IP so we can access our servers.

    Now a guest  shows up to our office, gets on the "guest wifi" and can't see any of our LAN machines, but can easily access our datacenter since they too are browsing the internet from xxx.xxx.82.218 which is whitelisted in the datacenter.

    My question/goal is can I use a SINGLE pfSense instance to utilize the public IPs the way the ISP has provided us service.

    i.e.

    em1 (corp lan) =  yyy.yyy.32.226

    em2 (guest wifi) = yyy.yyy.32.227

    etc...



  • Answer: CARP/VIP + Manual outbound nat

    1. Create VIP/CARPS as many as you like with public ip
    2. Define manual outbound nat to use such an carp/vip with another network

    Creation for both ones is very simple, but ask for help if it's not self explaining



  • What's the difference between CARP and PARP?  I tried PARP but it didn't work because it applies the net mask ( /30 ) of the WAN link to use the VIP.

    I think the official answer here is that pfSense alone will not achieve what I want.  It is necessary to put a router between ISP and pfSense?



  • PARP can't be used by pfsense itself

    and can you please explain why you need an another router between pfsense and isp?

    i've got single wan + static ip's & 3 lans and each lan is using their own static public ip

    and you may use firewall rule to block that access to your datacenter. just remember, rules work on ingress and top to down order



  • @sierradump:

    My question/goal is can I use a SINGLE pfSense instance to utilize the public IPs the way the ISP has provided us service.

    i.e.

    em1 (corp lan) =  yyy.yyy.32.226

    em2 (guest wifi) = yyy.yyy.32.227

    etc…

    No and the reason isn't a deficiency in pfsense. It's a limitation of IP networking. All interfaces in a single machine must define a unique network. What you are showing has em1 and em2 both belonging to your /27. This is ambiguous and either one or both interfaces will stop working once you configure the second one this way.

    But I thought what you were looking for was multiple separate private IP networks NAT'd to single individual public IPs out of your /27 ?

    The pricing on the ISP supplied managed router, if accurate, is ….well ..... ludicrous. If, in the end, this is what it takes to accomplish your goals, then you can put one together yourself for a one time cost well under anything like the ISP wants. The challenge will be that to route a gigabit of bandwidth, the hardware will have to be fairly robust. Software-wise it's fairly trivial, and you could run it headless once it's set up and configured.

    Is there some way you can talk your ISP into delivering your routed /27 at the demark rather than a /30 that you need a router to capture the /27 at that huge upcharge?

    Maybe there is something (voodoo magic) within pfsense that will accomplish what you want in a single instance of it. But I'll admit not being familiar enough with the product to say so.



  • @gderf:

    @sierradump:

    My question/goal is can I use a SINGLE pfSense instance to utilize the public IPs the way the ISP has provided us service.

    i.e.

    em1 (corp lan) =  yyy.yyy.32.226

    em2 (guest wifi) = yyy.yyy.32.227

    etc…

    No and the reason isn't a deficiency in pfsense. It's a limitation of IP networking. All interfaces in a single machine must define a unique network. What you are showing has em1 and em2 both belonging to your /27. This is ambiguous and either one or both interfaces will stop working once you configure the second one this way.

    But I thought what you were looking for was multiple separate private IP networks NAT'd to single individual public IPs out of your /27 ?

    Gderf,

    My apologies, was getting late and I was sloppy with my response - you were correct in your asssumption that I want private /24 on my LAN interfaces NATd out separate public IPs…

    I.e.

    em1 (corp LAN):  192.168.1.1 /24. NAT: yyy.yyy.32.226

    em2 (guest WiFi):  172.16.1.1 /24.  NAT: yyy.yyy.32.227

    Is this possible???  Would I still use VIPs to accomplish this?  The limitation with the VIPs that I experienced using PARP was that the subnet on pfSense WAN, /30, was applied to my VIPs.

    I.e. when I set up the PARP using either single address or network, and specify the /27, upon creating the 1:1 NAT rule for a given PARP address such as yyy.yyy.32.229 - pfSense seemed to apply the WAN /30 and the PARP IP would appear as yyy.yyy.32.230 one leaving pfSense - even though it was set correctly inside VIP as yyy.yyy.32.229???



  • The way I have done this in the past had a separate router connected to the ISP's /24 gateway (your /30) that provided my /29 on the LAN port (your /27). This is analogous to that pricey router they offered you. It was a Speedstream 5660 ADSL router and all I had was a 1.5mbit circuit. I could also have built my own router from a junk PC, two NICs, and run one of those tiny router distros from a floppy disk. The interface to the ISP in this scenario would be an ATM to Ethernet ADSL bridge modem. Either way, it was still a separate router.

    The firewall box (an old PC running GTA GB-Flash v3.4.2, commercial, FreeBSD based like pfsense, but not free) had its WAN interface with one of my usable /29 IPs. The remaining IPs in the routed /29 subnet were assigned to the WAN as "Alias IPs."

    The other interfaces in the firewall box all had private IP networks and they were NAT'd out to the WAN IP Alias IP address of choice.

    This is AFAIK, the more or less standard way of doing this.

    I'd like to think that if there is some way to do this with a single pfsense box that did not require that separate router (to link your /30 to the /27), then someone would have provided the answer already.

    Lurkers please chime in if it really can be done with one box.

    One thing I can suggest but have no idea if it would actually work is this:

    Configure your WAN interface for the /30

    Configure an interface for the /27 with one IP defining the interface, no gateway, and some or all of the remaining available IPs as Alias IPs. Do not plug anything into this ethernet port.

    Configure another interface as a private network and see if you can NAT it out via an IP on the /27.

    I'd be surprised if it worked. If it does work, keep adding interfaces on unique private networks. If it all works after very careful testing, you got lucky.



  • @Metu69salemi:

    PARP can't be used by pfsense itself

    and can you please explain why you need an another router between pfsense and isp?

    i've got single wan + static ip's & 3 lans and each lan is using their own static public ip

    and you may use firewall rule to block that access to your datacenter. just remember, rules work on ingress and top to down order

    Metu69Salemi,

    I suspect your Static IPs are on the same network as your WAN link… My WAN link is a /30 , and my Static IPs are a in a /27.



  • Thanks Gderf,

    This is what I suspected all along.

    Who makes me a nice router-specific software (instead of using pfSense?).  I have a dual XEON SOCKET 2.6Ghz 1u server with 2 Gbit and 1 FE NIC.  I could build my own Router I suppose?  Is Vyatta a good choice? OR, do I simply use pfSense again?



  • Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.

    em0 – WAN -- .82.218
              Gateway .82.217 (default)

    em1 -- .32.226
              No gateway

    em2 -- .32.227
              No gateway

    em3 -- .32.227
              No gateway

    Go to Firewall-->NAT-->Outbound and set it to MANUAL.

    Delete the rules that show up (auto-generated rules that make the /27 get NATed to the WAN address)

    At this point your /27 is "live" on em1 to em7

    Set the CARPs (or PARPs) back up the way you had them working before but use the em1 - em7 .32.2xx addresses.

    This is the point where I lose it completely. My setup is simple public IP straight passthrough so I have no clue how to work with CARP. But from this point (NAT off) you should be able to connect the private address ranges to individual interfaces and create MANUAL NAT rules from private IP range ---> single public IP. the public IP will be passed through the WAN gateway intact.

    Somebody beat me with a wet noodle if I'm too far off base. I can't flesh it out any further due to the fact that I just started using pfSense a few days ago myself.

    I only have two interfaces in my pfsense box or I'd try hanging a private range off of one of my public IP's here as proof of concept.

    Gerald



  • You could pick from the rather extensive list here:

    http://en.wikipedia.org/wiki/List_of_router_or_firewall_distributions

    I would probably do the most minimal install of any BSD or Linux I was up on since I already have the software lying around. The only things you need are the networking stack and some way to manage it remotely such as sshd. There is always a lot of baggage that comes in with a default install, and it's probably best to do that and try to slim it down later rather than be too stingy going in and wind up with a non-working install.

    If you don't need remote management, you can just use a keyboard and monitor. After a while, you would probably disconnect these until needed again which could be very rarely. Just make sure the BIOS will handle booting all the way in with a missing keyboard.

    The only thing that needs configuring is enabling routing between interfaces, and configuring the two NICs. You might want to port scan the box once it comes up to be sure that no unnecessary services are running. And perhaps verify the actual thruput to be sure it is not a bottleneck.

    I guess none of my other suggestions worked?

    Not being a current pfsense user probably doesn't help much - I'm on m0n0wall these days.

    I seem to remember that the GB-Flash I was using long ago would allow Alias IPs on the WAN that were on another network, so you could have a /30 WAN and Alias the /27 onto it. But I never had a need for that type of setup and the software has long since been filed away and no loner in use.

    Let us know how this works out for you. That huge up-charge for that ISP supplied router is a big incentive to get this done yourself.



  • @phorce1:

    Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.

    em0 – WAN -- .82.218
               Gateway .82.217 (default)

    em1 -- .32.226
              No gateway

    The above works.

    When you add this

    em2 – .32.227
              No gateway

    it stops working.

    You can't have two interfaces in the same machine define the same network.



  • @gderf:

    @phorce1:

    Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.

    em0 – WAN -- .82.218
               Gateway .82.217 (default)

    em1 -- .32.226
              No gateway

    The above works.

    When you add this

    em2 – .32.227
              No gateway

    it stops working.

    You can't have two interfaces in the same machine define the same network.

    How about:

    em0 – WAN -- .82.218
              Gateway .82.217 (default)

    em1 -- .32.225 (/27)
              no gateway

    em2 -- .32.226
              Gateway .32.225

    em3 --  .32.227
              Gateway .32.225

    etc.



  • Specifying or not specifying a gateway isn't what breaks things.

    Having two or more network adapters defining the same network in the same machine does break things.

    He could split his One /27 into

    Two /28s or
    Four /29s or
    Eight /30s

    or a valid combination of fewer of each of the above, and put them on individual interfaces. These would become different networks so it would be legal and it would work. But that doesn't solve his problem.



  • For his purposes breaking it into 8 /30 nets would probably work. He doesn't appear to have that many private networks he wants to NAT out. But he's already shopping for a router to make the /27 available to the pfSense box directly.



  • No, breaking his /27 into any set of smaller networks does not solve his problem because he cannot NAT to them out the WAN from private networks.



  • @gderf:

    @phorce1:

    Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.

    em0 – WAN -- .82.218
               Gateway .82.217 (default)

    em1 -- .32.226
              No gateway

    The above works.

    When you add this

    em2 – .32.227
              No gateway

    it stops working.

    You can't have two interfaces in the same machine define the same network.

    The above doesn't work for me though, as I don't want public IPs on my LAN interfaces :)  I want private IPs 192.168.1.1 /24  etc… I want them NATd to public IPs...



  • I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.



  • Will be building router later to try this out…



  • @gderf:

    I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.

    Right, no I absolutely appreciate your help!  I liked how you know your networking.  I know it wouldn't work but I didn't know the "reasoning" I knew it had to do with the /30 and /27 over the WAN link but didn't know why, now I do :)

    Thanks!



  • sierradump, you can always try pfsense commercial support.

    Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)

    Try using ProxyARP VIPs and Manual Outbound NAT (AON).



  • @dhatz:

    sierradump, you can always try pfsense commercial support.

    Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)

    Try using ProxyARP VIPs and Manual Outbound NAT (AON).

    Sad face.  Tried this early on, it sort of worked but had broken functionality.



  • @sierradump:

    Tried this early on, it sort of worked but had broken functionality.

    Broken functionality how?

    I've tried it in the past and it seemed to work, although I haven't tested it thoroughly or used it in production.



  • use isp wan series on wan side and isp lan series i.e first public ip on lan side
    open firewall nat click Manual Outbound NAT rule generation and SAVE
    delete all  auto generated  nat rule



  • @anagh:

    use isp wan series on wan side and isp lan series i.e first public ip on lan side
    open firewall nat click Manual Outbound NAT rule generation and SAVE
    delete all  auto generated  nat rule

    This doesn't provide the private IP network interfaces he requires.


Log in to reply