I need help with a rather..odd..setup



  • I will be using the local utility company for our internet in our new office.  I'd like to know if its possible to make this kind of setup work with a single pfSense box.  The way the tech explained it to me is the setup will go:

    UTIL CO (fiber to CAT5 interface box) -> MY ROUTER (router IP) -> PUBLIC IP INTERFACE (public IP) -> INTERNAL NETWORK.

    The router IP and my public IP are two different IPs.  Also, I cannot have any type of NAT between the router IP and my public IP.  Its basically just a passthrough.  Beyond the PUBLIC IP INTERFACE I can do anything I want with NAT and firewalls, etc.  Basically I've got one CAT5 coming in and two IPs I need to set.  Without using more than one interface or router I don't know how to go about setting this up in pfSense.

    Thanks



  • when you say 'my router' do you physically have another router of is your pfsense box your router?

    I had this exact same setup before, with a cisco router and my pfsense box.

    Just have your router setup as you normally would, and on the WAN interface of the pfsense box, just set it to get IP from the router via DHCP.


  • Netgate Administrator

    This is a confusing post!  ???

    Are you describing a setup with three boxes (fibre to cat5, router, pfSense)? If so why do you need the extra router?

    If you can do anything you want on your internal network you are presumably going to use a private address space with NAT. Your public IP will only be on your pfSense WAN interface.

    Perhaps you have an unusual internet connection. If you tell us who your ISP are (even provide us with a link pointing to their product page) we can probably tell you what you will need.

    Steve



  • I wish I understood the setup well enough to understand it.  Basically I have two IP addresses.  One is my router IP.  The ISP (Springnet) doesn't host their end of the IP on any of their equipment.  All they provide is the pipe.  So I need a router to do that along with the more traditional things pfsense does (NAT, firewall, etc).  So my router IP will be a physical interface on the "WAN" side.  I need to transparently forward all traffic from that interface to, and this is where I get lost, my public IP.  I could set that up as the "LAN" side and then go along my merry way setting up another pfsense box like I always do behind that.  What I want to do is trim that down to one pfsense box.  I was looking over virtual IPs last night.  It seems that is what I want to do.  Have my WAN be the router IP, forward everything to the virtual IP (public IP the ISP gave me) then use the second physical interface as my LAN side.  All my firewall rules, NAT stuff, etc will reference the virtual IP.  The WAN interface at this point will not ever be used.

    Make sense?



  • As far as i know you will definately need to use the WAN interface.  Your post is still confusing but i still don't see any need for a router.. pfSense will do everything that you need.



  • @luke240778:

    As far as i know you will definately need to use the WAN interface.  Your post is still confusing but i still don't see any need for a router.. pfSense will do everything that you need.

    Yeah, sorry.  Like I said, I wish I understood the setup well enough to explain.  From what I understand, the WAN interface on pfsense will be the endpoint for the fiber link.  That's the router IP I referred to in my first post.  Then I have my public IP.  Traditionally This would be the only IP an ISP would give.  They host their end of the network on their equipment, like a cable modem or DSL.  In this case I have to supply everything.  All they provide is the fiber.  So I've got two IPs to deal with.

    Fiber -> Router IP (WAN interface) -> Public IP (virtual IP perhaps?) -> NAT -> My side of the network (192.168.0.0/24)

    Between the Router IP (WAN interface) and the Public IP (which I'm going to try a virtual IP and see if that works) I need to do 100% transparent routing.  Both ways.  The public IP is what I'd use as my de facto "WAN" interface.

    I've just never done a setup like this before so I could use a little bit of reassurance.


  • Netgate Administrator

    You mean these guys?
    http://www.springnet1.com/index.php?page=internet

    Do you know what their fibre to cat5 box is (manufacturer, model number)?

    Is this a home broadband service or something a lot more expensive?

    Is seems very likely that their box provides an ethernet connection over which you connect to whatever they have at their end with PPPoE. If it's not that then it's something weird! Which could be possible.  ;)

    If it's these guys (used to be springnet.cc)
    http://www.iserv.net/

    Then you may have metro ethernet, though that doesn't normally involve fibre.

    Either way if they provide an ethernet service I'd be amazed if pfSense couldn't talk to their equipment down it.

    Steve

    Edit: I typed too slow. They just provide a fibre?



  • Yeah, basically if they are providing you with a link and you get an Ethernet cable from then on your end, that is going to have to come with an IP address.. their equipment on the other end has to also so there is no way that you can't get that hooked up to pfSense WAN interface and set everything up on that. I still see no need for an additional router.


  • Netgate Administrator

    Ah do you mean these guys?
    http://www.springnet.net/
    They provide a 'fibre broadband' service. They also have almost no useful information on their website.  ::)

    Steve



  • @benutne:

    Fiber -> Router IP (WAN interface) -> Public IP (virtual IP perhaps?) -> NAT -> My side of the network (192.168.0.0/24)

    Between the Router IP (WAN interface) and the Public IP (which I'm going to try a virtual IP and see if that works) I need to do 100% transparent routing.  Both ways.  The public IP is what I'd use as my de facto "WAN" interface.

    I've just never done a setup like this before so I could use a little bit of reassurance.

    Should be correct.  Effectively, you tag the WAN interface with virtual IPs corresponding to the public IP subnet you're using.
    The LAN on pfSense then NATs to the public IPs rather than the WAN itself.

    The routing is done statically at your ISP's router (Gateway for the WAN IP issued to your).  The router will advertise upstream that it is connected to both the WAN IP and public subnet issued to you.

    Any traffic bound for either the set of IPs will be sent through to your WAN Link.  Since your public subnet IPs exist as Virtual IPs on the WAN interface, pfSense will accept the packets and handle them accordingly.



  • @dreamslacker:

    @benutne:

    Fiber -> Router IP (WAN interface) -> Public IP (virtual IP perhaps?) -> NAT -> My side of the network (192.168.0.0/24)

    Between the Router IP (WAN interface) and the Public IP (which I'm going to try a virtual IP and see if that works) I need to do 100% transparent routing.  Both ways.  The public IP is what I'd use as my de facto "WAN" interface.

    I've just never done a setup like this before so I could use a little bit of reassurance.

    Should be correct.  Effectively, you tag the WAN interface with virtual IPs corresponding to the public IP subnet you're using.
    The LAN on pfSense then NATs to the public IPs rather than the WAN itself.

    The routing is done statically at your ISP's router (Gateway for the WAN IP issued to your).  The router will advertise upstream that it is connected to both the WAN IP and public subnet issued to you.

    Any traffic bound for either the set of IPs will be sent through to your WAN Link.  Since your public subnet IPs exist as Virtual IPs on the WAN interface, pfSense will accept the packets and handle them accordingly.

    OK.  This sounds correct.  I might come back with some specific questions regarding the setup but this is how I envisioned everything working.  Thanks for the help guys.  And yeah stephenw10, their website is completely useless.  Their tech support guys are pretty nice though.



  • OK…um.  Now what do I do?  How do I need to set up the virtual IP.  Proxy ARP?  CARP?  Other?  I started out with Alias IP.  Do I still need to set up 1:1 forwarding from the physical interface to the virtual one?


Log in to reply