Setup for NAT plus multiple public IP's



  • It seems the following scenario should be possible, but I'm not quite understanding how to implement it.

    I have a public address n.n.n.106 for the WAN interface.  Then I have a block of 64 public IP's that I can give to systems on my network as follows:

    LAN interface: x.x.x.193
    usable ip range for network devices: x.x.x.194 thru x.x.x.254, using a gateway of x.x.x.193

    I would also like to have pfsense dish out dhcp to LAN workstations of 10.0.x.x NAT'ed thru the n.n.n.106 WAN interface, and additionally I would like some of my servers and a few workstations that need a public address to be able to statically set addresses of x.x.x.194 thru .254.  I know I can do this with two LAN interfaces, but I need all traffic coming through the same physical LAN port.  Can I do this?  Do I need to set up a virtual IP on the LAN interface?

    I won't be port forwarding to the 10.0.x.x workstations, but I want the ability to send all ports to some of the devices with the static public addresses - for example, ability to monitor if a server on x.x.x.195 is up or down by pinging it from the internet, or ability for servers to answer web, ftp, or smtp requests from the internet or LAN.

    I'm sure this type of setup should be fairly obvious, and I have some pieces of it working but I'm struggling to put it all together.  If I set the LAN interface to 10.0.0.1 then I can get workstations on 10.0.x.x online just fine NAT'ed through n.n.n.106.  Or if I set the LAN to x.x.x.193 and enable advanced outbound then I can get workstations to show up on the net using an address like x.x.x.195.  I can't figure out how to get both of these happening at the same time through the same nic, nor how to ping a server on one of the public ip's…


  • Rebel Alliance Moderator

    Not quite that fit with that topic as perhaps hoba is (waves) I'd say define the LAN as mentioned with 10.0.0.1 and standard NAT to the n.n.n.106. Then use 1:1 NAT for the x.x.x.nnn adresses and define (CARP) Virtual IPs on the WAN Interface for every x.x.x.nnn adress you wanna use as pfSense has to be aware of the x.x.x.192-255 adresses to react on them.

    Greets
    Grey



  • You probably don't want to have the 2 subnets (public IPs subnet and private IPs LAN) in the same layer 2 subnet. You need to route between the 2 anyway to make LAN clients talk to the public ones. Why do you hav the 1 NIC for Clients limitation for this setup? Physical dimensiens of case/hardware? If yes you should consider using VLANs in combination with a vlan capable switch. This adds additional security if used with firewallrules and is more like a DMZ attempt.

    Having 2 IPs from different subnets on the same interface that can be used by pfSense itself is currently not possible. We have this option in the head code branch already but it will take some time until this goes into a stable release. CARP (which is the only VIP type that can be used by the pfSense itself) only offers multiple IPs from the same subnet, so this is no option here.

    hoba waves back to grey  :D


  • Rebel Alliance Moderator

    Ah, my mistake here. Thought I read you mention that way in mapping public IPs to private ones a little while ago but can be wrong with it - "too much information overflow in brain.h" ;)



  • @hoba:

    You probably don't want to have the 2 subnets (public IPs subnet and private IPs LAN) in the same layer 2 subnet. You need to route between the 2 anyway to make LAN clients talk to the public ones. Why do you hav the 1 NIC for Clients limitation for this setup?

    Aah, I see the flaw in my approach.  It seems I need two routers - one to route n.n.n.106 (WAN) to x.x.x.193 (LAN) and then a second router/firewall (pfsense) with a WAN ip of x.x.x.194 (gateway of x.x.x.193) and LAN IP of 10.0.0.1 to dish out DHCP and to do 1:1 NAT to tie x.x.x.195 thru x.x.x.254 to some 10.0.x.x addresses.  This makes sense to me, but if I'm right it means I need another router, right?  Or is there some way to do all of this just using the one pfsense machine?

    I was placing value on setting some of the systems with public IP's, not realizing that I could get the same benefit using 1:1 NAT.  I hadn't considered the routing issues with the systems actually talking to each other  ;D.

    This setup is for a small wireless ISP.  The 1-NIC limitation was simply because some customers may want to upgrade to a static IP but I won't be able to move their connection to another network.



  • http://www.firewall.cx/vlans-links.php for some vlan info as hoba said. I've just placed a ordered for a http://www.hp.com/rnd/products/switches/ProCurve_Switch_1800_Series/overview.htm

    or if all the pc are located in the same room go with more lan nic's to save some money.

    a diagram would be useful –-wan-----pfsense or use http://www.gliffy.com


Log in to reply