Do I need a router? ISP Provides WAN and "LAN" ips? (LAN ips are my Public IPs)

gderf

No, breaking his /27 into any set of smaller networks does not solve his problem because he cannot NAT to them out the WAN from private networks.

sierradump

@gderf:

@phorce1:

Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.

em0 – WAN -- .82.218
           Gateway .82.217 (default)

em1 -- .32.226
          No gateway

The above works.

When you add this

em2 – .32.227
          No gateway

it stops working.

You can't have two interfaces in the same machine define the same network.

The above doesn't work for me though, as I don't want public IPs on my LAN interfaces :)  I want private IPs 192.168.1.1 /24  etc… I want them NATd to public IPs...

gderf

I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.

sierradump

Will be building router later to try this out…

sierradump

@gderf:

I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.

Right, no I absolutely appreciate your help!  I liked how you know your networking.  I know it wouldn't work but I didn't know the "reasoning" I knew it had to do with the /30 and /27 over the WAN link but didn't know why, now I do :)

Thanks!

dhatz

sierradump, you can always try pfsense commercial support.

Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)

Try using ProxyARP VIPs and Manual Outbound NAT (AON).

sierradump

@dhatz:

sierradump, you can always try pfsense commercial support.

Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)

Try using ProxyARP VIPs and Manual Outbound NAT (AON).

Sad face.  Tried this early on, it sort of worked but had broken functionality.

dhatz

@sierradump:

Tried this early on, it sort of worked but had broken functionality.

Broken functionality how?

I've tried it in the past and it seemed to work, although I haven't tested it thoroughly or used it in production.

anagh

use isp wan series on wan side and isp lan series i.e first public ip on lan side
open firewall nat click Manual Outbound NAT rule generation and SAVE
delete all  auto generated  nat rule

gderf

@anagh:

use isp wan series on wan side and isp lan series i.e first public ip on lan side
open firewall nat click Manual Outbound NAT rule generation and SAVE
delete all  auto generated  nat rule

This doesn't provide the private IP network interfaces he requires.