VIP/NAT help please!!
-
Hey all, Hopefully i can get some help here.. I have something i desperately need to get working and the more i read about VIP. CARP, NAT etc i am getting more and more confused.. I am after a simple set of instructions to do the following:
I have 1 public IP on my WAN connection: 189.53.100.10
I also have a block of ip's that currently are not in use and i need the to be.. SO, i need simple instructions on how i get this setup in pfsense to have this block of IP's working as i need a few servers in my LAN with Public ip's and also some clients on my WiSP needing Static IP's.. Ive tried creating a VIP entry for the block of IP's, but then i have absolutely no idea what to do and none of the material i am reading is making me understand it any better.
Apparently at the ISP the clock is already forwarded to my WAN ip.. i just need to do the rest on this end..
-
Your other IPs are in the 189.53.XXX.X range ? How many IPS you have ?
-
No, my block that i also have is: 201.73.17.176/28
-
If you are going to continue with that setup, you would make them ProxyARP.
-
I have no choice but to continue with that setup i guess as thats the ISP's way of doing things..
So ProxyARP.. do i create a single entry per IP or just 1 for the Block?
-
I have no choice but to continue with that setup i guess as thats the ISP's way of doing things..
So ProxyARP.. do i create a single entry per IP or just 1 for the Block?
Proxy ARP are best done as /32, or one per IP. IMO.
-
Ok, i have created ProxyARP VIP's.. created 1 entry per ip rather than the whole block. That part is not too dificult, its the next part that i can never undertand or get to work..
I dont know if now to use one of these VIP's as the public IP for my server, do i need to Port Forward it to the server LAN ip? Nat? 1:1? I have no idea, have tried them all and cant get it to work
-
So ProxyARP.. do i create a single entry per IP or just 1 for the Block?
Proxy ARP are best done as /32, or one per IP. IMO.
Why do you think that Proxy ARP VIPs are best done as /32?
If he defined the /28 block, pfsense will expand it to a list of 16 IPs and make them individually available in the NAT port-forward section.
-
So ProxyARP.. do i create a single entry per IP or just 1 for the Block?
Proxy ARP are best done as /32, or one per IP. IMO.
Why do you think that Proxy ARP VIPs are best done as /32?
If he defined the /28 block, pfsense will expand it to a list of 16 IPs and make them individually available in the NAT port-forward section.
Ahh.. in that case, i can just add the block of IP's in the VIP section, then do i need to create 1:1 NAT entries for each ip to go to a certain machine? (to use as public IP for servers for example)
-
So ProxyARP.. do i create a single entry per IP or just 1 for the Block?
Proxy ARP are best done as /32, or one per IP. IMO.
Why do you think that Proxy ARP VIPs are best done as /32?
If he defined the /28 block, pfsense will expand it to a list of 16 IPs and make them individually available in the NAT port-forward section.
So that you can dynamically use them. If you assign them all at once, you cannot use (even as a test) another device in front of the firewall. Could potentially be a security concern if you are not actively using the IP it will still reference the firewall. there could be a bug, or if there is not one, one could develop in an upgrade, that could allow someone access. human error can also bite you.
-
So guys, i have read all these posts, played with it.. read the pfSense book on NAT and VIP's but still can't get it to work.. Here is a simple scenario of what i want and hopefuly someone can give me a step by step that works:
To test i want to setup a XP box i have on my OPT1 so i can RDP to it using one of my Public IP's..
Current WAN IP: 189.53.100.10
Public IP Block: 201.73.17.176/28
Assign IP to XP: 201.73.17.178
XP Lan IP: 192.168.5.28I will do similar with servers but if i can just get the how to for this i can then apply that to the rest.
Hoping someone can assist..
-
From your XP box web browser, if you go to http://pfsense.org/ip.php wihich IP you see ?
-
Did you use port forward or 1:1 NAT? If you are using port forward, then you will need to use advanced outbound NAT (manual mode) to transform the outgoing ip to 201.73.17.178. Remember that it is first matching rule in AON so if your LAN rule is above your custom outbound, then the custom outbound will never happen.
