Do I need a router? ISP Provides WAN and "LAN" ips? (LAN ips are my Public IPs)
-
We just received a gigabit fiber circuit and I'm struggling with configuring pfsense.
The ISP has given us WAN and LAN IP's but this is somewhat misleading as the LAN IPs are actually the public IPs.
The WAN is a /30, basically the link from our building to their building.
The LAN is a /27, giving us 28 useable IPs.
ISP has provided the following information:
NETWORK:
WAN - xxx.xxx.82.216/30
LAN - yyy.yyy.38.224/27 (useable IPs xxx.xxx.38.226 -254)
Subnet Mask: 255.255.255.224
Gateway: yyy.yyy.38.225Pfsense works if I setup the WAN link using xxx.xxx.82.218 as interface IP with xxx.xxx.82.217 as the gateway. But that is not utilizing the 28 public IPs.
Am I forced to put a router in front of pfSense? Router would use the WAN IP information, and pfSense would use the LAN IPs…
I would rather NOT have to buy another piece of equipment so I would like to see if I can use Virtual IPs to solve the issue???
Possible issue: the WAN and LAN blocks have different gateways and /netmasks
-
Because that is continous block of ip's you have possibility to use PARP, CARP and VIP's for extra ip's and can have 1:1 nat or manual outbound nat for another tasks
-
WAN ip has to be the /30 to create link to ISP…
I have 6 other interfaces on the pfSense... I am using these 6 interfaces for various things, but all are "small LANs". I would like each of these LANs to browse the web using different IPs... Would I use PARP for that?
-
You can use it like that
-
Didn't work… I think the issue is that the public IPs need a different gateway/netmask than the WAN interface... How to do this? GRRRR. Can someone hold my hand here?
-
If you were dealing with a router, it would be configured like this.
WAN IP: xxx.xxx.82.218
Netmask: 255.255.255.252 (/30)
Gateway: xxx.xxx.82.217
Network: xxx.xxx.82.216
Broadcast: xxx.xxx.82.219LAN IP: yyy.yyy.38.225
Netmask: 255.255.255.224 (/27)
Gateway: None
Network: yyy.yyy.38.224
Broadcast: yyy.yyy.38.255Routing across interfaces must be enabled.
You plug a switch into the LAN port you have 29 usable IPs - yyy.yyy.38.226-yyy.yyy.38.254 available.
(Routed subnet of 32 IPs) - (1 IP for Network) - (1 IP for Broadcast) - (1 IP for Router) = 29 usable IP addresses
Any of the addresses yyy.yyy.38.225-yyy.yyy.38.254 could be used as the router LAN IP. But it is customary to use either the first (yyy.yyy.38.225) or the last (yyy.yyy.38.254) of the 30 available IP addresses.
One machine plugged into the switch could be configured like this.
IP: yyy.yyy.38.226
Netmask: 255.255.255.224 (/27)
Gateway: yyy.yyy.38.225
Network: yyy.yyy.38.224
Broadcast: yyy.yyy.38.255This is how routed service works. A router configured as above is not a firewall. There is no NAT and no use of private IP addressing. All IP traffic from the internet destined to any of your routed subnet IP addresses will arrive on the WAN port, go freely across to the LAN port onto the switch and arrive at any machine having one of your usable IP addresses.
Any OS that can route IP across interfaces configured as above would be a router. (Windows NT or later, Linux, any BSD, etc.)
I'm not sure what happens when you put a pfsense box there. It may or may not route across interfaces without a rule on the LAN interface to allow it.
-
Gderf,
In your reply, that would visually look like this correct?
ISP (xxx.xxx.82.217) <–-> (xxx.xxx.82.218) <wan>My Router <lan>(yyy.yyy.38.225) <---> (yyy.yyy.38.226) <wan> pfSense <lan>(192.168.1.1) <---> (192.168.1.2) My Switch <----> 192.168.1.x Clients
Somewhere on the router some "voodoo magic" happens with a bridge or something where it pushes the yyy.yyy.38.224 /27 traffic ACROSS the xxx.xxx.82.216 /30 network.
QUESTION: Is it possible to accomplish this WITHOUT A ROUTER? Basically I want to combine the "My Router" and "pfSense" above into JUST pfSense appliance???</lan></wan></lan></wan>
-
Pfsense can work as router if you remove natting(manual outbound nat)
just remove natting rules and you have a routeryou may want to adjust lan ip-address and dhcp server settings also
-
There is no "voodoo magic" involved. The way to think about what a router is is that it is a device that connects two networks. You have a /30 connected to a /27. That's all it does. That's all it needs to do.
Service like you have almost always comes with a provided router, or a list of qualified equipment that lets you shop for one yourself. Were you offered any options for this?
How many public IP addresses do you actually need and do you want any of them on your computers? Or do you want only private IPs on your computers?
-
Thanks for your help.
They offered a managed router service but wanted $600/mo extra for this + $x,xxx.xx to set it up. I turned this down because I have this working at another site using only pfsense - but the ips are on the same network… I didn't know we would get p2p /30 that we had to route across.
I know pfsense can be a router - but then I lose NAT. What I don't know is if it is an either/or situation or can I have both?
I don't need any machines to have a public ip. All will be private ip for now. What I want is to have each of my lans NAT out different public ips (yyy.yyy.yyy.yyy)
-
If you want only to have internal ip's then normal automatic nat rule should be enough. it maps 192.168.1.1/24 -> x.x.x.128 /30 in this case
What is problem then?
-
If you want only to have internal ip's then normal automatic nat rule should be enough. it maps 192.168.1.1/24 -> x.x.x.128 /30 in this case
What is problem then?
Yes, simply setting the pfSense WAN port to xxx.xxx.82.218 and pointing it to the proper gateway ip of xxx.xxx.82.217 does create a useable link. NAT works fine here for my LAN clients.
The PROBLEM, is that this is not what I need.
I have 8+ interfaces on my pfSense hardware. I'm only using 3 right now (until I can figure this out, i'm stuck with 2).
em0 = WAN (xxx.xxx.82.218 /30)
em1 = Corp LAN (192.168.1.x /24)
em2 = Guest WiFi (172.16.1.x /24)
Right now, em1 and em2 can browse the internet fine using NAT – The problem is em2 is a "guest wifi" network.
We use IP Authentication to servers in a data center. So our em1 LAN (corp network) is browsing the internet from xxx.xxx.82.218 IP. We whitelist that IP so we can access our servers.
Now a guest shows up to our office, gets on the "guest wifi" and can't see any of our LAN machines, but can easily access our datacenter since they too are browsing the internet from xxx.xxx.82.218 which is whitelisted in the datacenter.
My question/goal is can I use a SINGLE pfSense instance to utilize the public IPs the way the ISP has provided us service.
i.e.
em1 (corp lan) = yyy.yyy.32.226
em2 (guest wifi) = yyy.yyy.32.227
etc...
-
Answer: CARP/VIP + Manual outbound nat
- Create VIP/CARPS as many as you like with public ip
- Define manual outbound nat to use such an carp/vip with another network
Creation for both ones is very simple, but ask for help if it's not self explaining
-
What's the difference between CARP and PARP? I tried PARP but it didn't work because it applies the net mask ( /30 ) of the WAN link to use the VIP.
I think the official answer here is that pfSense alone will not achieve what I want. It is necessary to put a router between ISP and pfSense?
-
PARP can't be used by pfsense itself
and can you please explain why you need an another router between pfsense and isp?
i've got single wan + static ip's & 3 lans and each lan is using their own static public ip
and you may use firewall rule to block that access to your datacenter. just remember, rules work on ingress and top to down order
-
My question/goal is can I use a SINGLE pfSense instance to utilize the public IPs the way the ISP has provided us service.
i.e.
em1 (corp lan) = yyy.yyy.32.226
em2 (guest wifi) = yyy.yyy.32.227
etc…
No and the reason isn't a deficiency in pfsense. It's a limitation of IP networking. All interfaces in a single machine must define a unique network. What you are showing has em1 and em2 both belonging to your /27. This is ambiguous and either one or both interfaces will stop working once you configure the second one this way.
But I thought what you were looking for was multiple separate private IP networks NAT'd to single individual public IPs out of your /27 ?
The pricing on the ISP supplied managed router, if accurate, is ….well ..... ludicrous. If, in the end, this is what it takes to accomplish your goals, then you can put one together yourself for a one time cost well under anything like the ISP wants. The challenge will be that to route a gigabit of bandwidth, the hardware will have to be fairly robust. Software-wise it's fairly trivial, and you could run it headless once it's set up and configured.
Is there some way you can talk your ISP into delivering your routed /27 at the demark rather than a /30 that you need a router to capture the /27 at that huge upcharge?
Maybe there is something (voodoo magic) within pfsense that will accomplish what you want in a single instance of it. But I'll admit not being familiar enough with the product to say so.
-
My question/goal is can I use a SINGLE pfSense instance to utilize the public IPs the way the ISP has provided us service.
i.e.
em1 (corp lan) = yyy.yyy.32.226
em2 (guest wifi) = yyy.yyy.32.227
etc…
No and the reason isn't a deficiency in pfsense. It's a limitation of IP networking. All interfaces in a single machine must define a unique network. What you are showing has em1 and em2 both belonging to your /27. This is ambiguous and either one or both interfaces will stop working once you configure the second one this way.
But I thought what you were looking for was multiple separate private IP networks NAT'd to single individual public IPs out of your /27 ?
Gderf,
My apologies, was getting late and I was sloppy with my response - you were correct in your asssumption that I want private /24 on my LAN interfaces NATd out separate public IPs…
I.e.
em1 (corp LAN): 192.168.1.1 /24. NAT: yyy.yyy.32.226
em2 (guest WiFi): 172.16.1.1 /24. NAT: yyy.yyy.32.227
Is this possible??? Would I still use VIPs to accomplish this? The limitation with the VIPs that I experienced using PARP was that the subnet on pfSense WAN, /30, was applied to my VIPs.
I.e. when I set up the PARP using either single address or network, and specify the /27, upon creating the 1:1 NAT rule for a given PARP address such as yyy.yyy.32.229 - pfSense seemed to apply the WAN /30 and the PARP IP would appear as yyy.yyy.32.230 one leaving pfSense - even though it was set correctly inside VIP as yyy.yyy.32.229???
-
The way I have done this in the past had a separate router connected to the ISP's /24 gateway (your /30) that provided my /29 on the LAN port (your /27). This is analogous to that pricey router they offered you. It was a Speedstream 5660 ADSL router and all I had was a 1.5mbit circuit. I could also have built my own router from a junk PC, two NICs, and run one of those tiny router distros from a floppy disk. The interface to the ISP in this scenario would be an ATM to Ethernet ADSL bridge modem. Either way, it was still a separate router.
The firewall box (an old PC running GTA GB-Flash v3.4.2, commercial, FreeBSD based like pfsense, but not free) had its WAN interface with one of my usable /29 IPs. The remaining IPs in the routed /29 subnet were assigned to the WAN as "Alias IPs."
The other interfaces in the firewall box all had private IP networks and they were NAT'd out to the WAN IP Alias IP address of choice.
This is AFAIK, the more or less standard way of doing this.
I'd like to think that if there is some way to do this with a single pfsense box that did not require that separate router (to link your /30 to the /27), then someone would have provided the answer already.
Lurkers please chime in if it really can be done with one box.
One thing I can suggest but have no idea if it would actually work is this:
Configure your WAN interface for the /30
Configure an interface for the /27 with one IP defining the interface, no gateway, and some or all of the remaining available IPs as Alias IPs. Do not plug anything into this ethernet port.
Configure another interface as a private network and see if you can NAT it out via an IP on the /27.
I'd be surprised if it worked. If it does work, keep adding interfaces on unique private networks. If it all works after very careful testing, you got lucky.
-
PARP can't be used by pfsense itself
and can you please explain why you need an another router between pfsense and isp?
i've got single wan + static ip's & 3 lans and each lan is using their own static public ip
and you may use firewall rule to block that access to your datacenter. just remember, rules work on ingress and top to down order
Metu69Salemi,
I suspect your Static IPs are on the same network as your WAN link… My WAN link is a /30 , and my Static IPs are a in a /27.
-
Thanks Gderf,
This is what I suspected all along.
Who makes me a nice router-specific software (instead of using pfSense?). I have a dual XEON SOCKET 2.6Ghz 1u server with 2 Gbit and 1 FE NIC. I could build my own Router I suppose? Is Vyatta a good choice? OR, do I simply use pfSense again?