Public IPs for machines behind pfsense
-
Hi:
First accept my apologies if this should be covered elsewhere
I am new to PFsense, and I am going to apply this to my small IDC business, I have several IP blocks /25 and /24, and I have searched a while but haven't really found any thing which indicates how to
"set PFsense and give all machines public IPs directly under it"
by saying "directly" I mean if I own 66.55.99.0/24, and set PFsense as 66.55.99.100, 16 machines under it, their IPs are 66.55.77.101,102…..106.
I don't want to use any port forwarding or 1:1 NAT cuz I will have many VPSes under the physical machines by VMware, VBOX and XEN, it's better to have IPs directly instead of port forwarding to internal IP addresses.
does somebody know/have already done the setting for this? what am I going to do? bridge?
thank you very very much
-
MS Server 8 won't allow public IP's, just an FYI. Might want to get used to that idea.
-
MS Server 8 won't allow public IP's, just an FYI. Might want to get used to that idea.
That would be very dumb on Microsoft's part. Especially since almost all of IPV6 is route-able on the internet. They are also going to cause problems for those who put them live on the internet as web server or those who are using a transparent firewall.
For you problem at hand, you have two options.
You can use virtual IPs and NAT with rules so as to translate External IPs to Internal. This looks like something you don't want to do.
The second option is to setup a bridge. In this case it is a transparent firewall. You will only set 1 IP on the LAN and then filter all traffic on the WAN.
-
MS Server 8 won't allow public IP's
Where did you pick up that piece of FUD?
Are you thinking of maybe SBS 2008, which is specialty build?
http://support.microsoft.com/kb/957717
Unable to Install SBS 2008 with a Public IP Address -
MS Server 8 won't allow public IP's
Where did you pick up that piece of FUD?
Are you thinking of maybe SBS 2008, which is specialty build?
http://support.microsoft.com/kb/957717
Unable to Install SBS 2008 with a Public IP AddressCould be.
What's a FUD?
-
-
This is true it can stand for that, it can also stand for "F_cked Up Disinformation"
Either way works really with your statement ;)
-
lol. I was partly right (it was A server flavour, right? :D :D :-*).
It's still bad practice to give a host a public IP.
-
"It's still bad practice to give a host a public IP."
Not if its a public server, say Web Server ;) Email Server, FTP Server, etc. etc. etc..
If the host is connected to the public net to provide something to the public net then yes it would need a public IP.
So your suggesting that every server should be behind a NAT?
-
"It's still bad practice to give a host a public IP."
Not if its a public server, say Web Server ;) Email Server, FTP Server, etc. etc. etc..
If the host is connected to the public net to provide something to the public net then yes it would need a public IP.
So your suggesting that every server should be behind a NAT?
For additional protection I'd say so. Otherwise you are putting all your faith in software firewall solutions.
-
"Otherwise you are putting all your faith in software firewall solutions."
Again more FUD!! Just because a host has a public IP, does not mean its not behind a firewall that is not doing NAT.
-
"Otherwise you are putting all your faith in software firewall solutions."
Again more FUD!! Just because a host has a public IP, does not mean its not behind a firewall that is not doing NAT.
How about stop being a dick, and explain then? I'm here to learn as much as everyone else.
I have always been told to use NAT and put servers on a separate LAN. Without putting special configurations, I didn't know you could firewall effectively if you have a DMZ'ed host with a public IP.
-
Not trying to be a "dick" I assure you - its just that your statements are FUD.. If you are not sure then you should word them as questions and not what "seems" to be a FACT in your mind?
example.
–--So your suggesting that every server should be behind a NAT?
For additional protection I'd say so. Otherwise aren't you just putting all your faith in software firewall solutions on the host?.
–--Not sure what firewalls you have worked with in the past, but I assure you you do not have to be behind a nat to process rules that either allow or deny access. Not sure where you would of gotten that idea other than maybe home type routers, and normally those routers don't even really create a real DMZ, more of what they call a DMZ Host - which is just the forwarding of ports that are not otherwise forwarded already.
More than happy to help you with any questions you have.. Who told you this "I have always been told to use NAT and put servers on a separate LAN".. This is just FUD plain and simple.
I think its already been brought up - if this is your understanding, what do think will happen with IPv6? Do you think NAT will still be used?
Don't get me wrong, not saying that NAT is not a useful tool - that sure can be used in protecting your hosts, or for sharing a IP, etc. etc. Lots of use for it. But there are protocols that just do not work, or do not work well when behind a NAT. And created extra overhead when its just not needed, there are places and uses for nat and or napt sure. But it is not the end all get all of protecting your servers.
-
I agree … a bridging firewall (or transparent firewall) is just as effective IMO. Plus, you get to hide your firewall so there is no gateway for attackers to attack. Not saying that won't stop attackers from trying or succeeding .. just makes it a little more difficult. But to just say that NAT is the only right way is a bit out there especially if you are unsure.
-
Does not have to be a bridging or transparent firewall either. But that is an option as well without NAT.
-
The lack of NAT is one of the things that I love about ipv6. Or rather, no longer needing to NAT anything. With ipv6, every global address on you lan is also your public ip. Using public ip's through a firewall without NAT works pretty much the same way on ipv4.
-
would you mind to tell me how to make that transparent bridge? use "bridge" under "interface" and select the WAN and LAN? what IPs to put on them? Both public?
-
would you mind to tell me how to set up the bridge? just choose "Bridge" and select WAN and LAN? what kind of IPs to give to them? Both Public? Thank you very much
-
Have you read this thread?
http://forum.pfsense.org/index.php/topic,36562.0.html
Clean Install with pfsense 2.0 using transparent firewall
