Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Public IPs for machines behind pfsense

    Virtualization
    5
    19
    6230
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      forpfsensebaby last edited by

      Hi:

      First accept my apologies if this should be covered elsewhere

      I am new to PFsense, and I am going to apply this to my small IDC business, I have several IP blocks /25 and /24, and I have searched a while but haven't really found any thing which indicates how to

      "set PFsense and give all machines public IPs directly under it"

      by saying "directly" I mean if I own 66.55.99.0/24, and set PFsense as 66.55.99.100, 16 machines under it, their IPs are 66.55.77.101,102…..106.

      I don't want to use any port forwarding or 1:1 NAT cuz I will have many VPSes under the physical machines by VMware, VBOX and XEN, it's better to have IPs directly instead of port forwarding to internal IP addresses.

      does somebody know/have already done the setting for this? what am I going to do? bridge?

      thank you very very much

      1 Reply Last reply Reply Quote 0
      • D
        dLockers last edited by

        MS Server 8 won't allow public IP's, just an FYI. Might want to get used to that idea.

        1 Reply Last reply Reply Quote 0
        • P
          podilarius last edited by

          MS Server 8 won't allow public IP's, just an FYI. Might want to get used to that idea.

          That would be very dumb on Microsoft's part. Especially since almost all of IPV6 is route-able on the internet. They are also going to cause problems for those who put them live on the internet as web server or those who are using a transparent firewall.

          For you problem at hand, you have two options.

          You can use virtual IPs and NAT with rules so as to translate External IPs to Internal. This looks like something you don't want to do.

          The second option is to setup a bridge. In this case it is a transparent firewall. You will only set 1 IP on the LAN and then filter all traffic on the WAN.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            MS Server 8 won't allow public IP's

            Where did you pick up that piece of FUD?

            Are you thinking of maybe SBS 2008, which is specialty build?

            http://support.microsoft.com/kb/957717
            Unable to Install SBS 2008 with a Public IP Address

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 23.01 | Lab VMs CE 2.6, 2.7

            1 Reply Last reply Reply Quote 0
            • D
              dLockers last edited by

              @johnpoz:

              MS Server 8 won't allow public IP's

              Where did you pick up that piece of FUD?

              Are you thinking of maybe SBS 2008, which is specialty build?

              http://support.microsoft.com/kb/957717
              Unable to Install SBS 2008 with a Public IP Address

              Could be.

              What's a FUD?

              1 Reply Last reply Reply Quote 0
              • I
                iFloris last edited by

                @dlockers, unrelated to topic. FUD is an expression.

                one layer of information
                removed

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  This is true it can stand for that, it can also stand for "F_cked Up Disinformation"

                  Either way works really with your statement ;)

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                  1 Reply Last reply Reply Quote 0
                  • D
                    dLockers last edited by

                    lol. I was partly right (it was A server flavour, right?  :D :D :-*).

                    It's still bad practice to give a host a public IP.

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      "It's still bad practice to give a host a public IP."

                      Not if its a public server, say Web Server ;)  Email Server, FTP Server, etc. etc. etc..

                      If the host is connected to the public net to provide something to the public net then yes it would need a public IP.

                      So your suggesting that every server should be behind a NAT?

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                      1 Reply Last reply Reply Quote 0
                      • D
                        dLockers last edited by

                        @johnpoz:

                        "It's still bad practice to give a host a public IP."

                        Not if its a public server, say Web Server ;)  Email Server, FTP Server, etc. etc. etc..

                        If the host is connected to the public net to provide something to the public net then yes it would need a public IP.

                        So your suggesting that every server should be behind a NAT?

                        For additional protection I'd say so. Otherwise you are putting all your faith in software firewall solutions.

                        1 Reply Last reply Reply Quote 0
                        • johnpoz
                          johnpoz LAYER 8 Global Moderator last edited by

                          "Otherwise you are putting all your faith in software firewall solutions."

                          Again more FUD!!  Just because a host has a public IP, does not mean its not behind a firewall that is not doing NAT.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                          1 Reply Last reply Reply Quote 0
                          • D
                            dLockers last edited by

                            @johnpoz:

                            "Otherwise you are putting all your faith in software firewall solutions."

                            Again more FUD!!  Just because a host has a public IP, does not mean its not behind a firewall that is not doing NAT.

                            How about stop being a dick, and explain then? I'm here to learn as much as everyone else.

                            I have always been told to use NAT and put servers on a separate LAN. Without putting special configurations, I didn't know you could firewall effectively if you have a DMZ'ed host with a public IP.

                            1 Reply Last reply Reply Quote 0
                            • johnpoz
                              johnpoz LAYER 8 Global Moderator last edited by

                              Not trying to be a "dick" I assure you - its just that your statements are FUD..  If you are not sure then you should word them as questions and not what "seems" to be a FACT in your mind?

                              example.
                              –--

                              So your suggesting that every server should be behind a NAT?

                              For additional protection I'd say so. Otherwise aren't you just putting all your faith in software firewall solutions on the host?.
                              –--

                              Not sure what firewalls you have worked with in the past, but I assure you you do not have to be behind a nat to process rules that either allow or deny access.   Not sure where you would of gotten that idea other than maybe home type routers, and normally those routers don't even really create a real DMZ, more of what they call a DMZ Host  - which is just the forwarding of ports that are not otherwise forwarded already.

                              More than happy to help you with any questions you have..  Who told you this "I have always been told to use NAT and put servers on a separate LAN"..  This is just FUD plain and simple.

                              I think its already been brought up - if this is your understanding, what do think will happen with IPv6?  Do you think NAT will still be used?

                              Don't get me wrong, not saying that NAT is not a useful tool - that sure can be used in protecting your hosts, or for sharing a IP, etc. etc.  Lots of use for it.  But there are protocols that just do not work, or do not work well when behind a NAT.  And created extra overhead when its just not needed, there are places and uses for nat and or napt sure.  But it is not the end all get all of protecting your servers.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                              1 Reply Last reply Reply Quote 0
                              • P
                                podilarius last edited by

                                I agree … a bridging firewall (or transparent firewall) is just as effective IMO. Plus, you get to hide your firewall so there is no gateway for attackers to attack. Not saying that won't stop attackers from trying or succeeding .. just makes it a little more difficult. But to just say that NAT is the only right way is a bit out there especially if you are unsure.

                                1 Reply Last reply Reply Quote 0
                                • johnpoz
                                  johnpoz LAYER 8 Global Moderator last edited by

                                  Does not have to be a bridging or transparent firewall either.  But that is an option as well without NAT.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                  1 Reply Last reply Reply Quote 0
                                  • I
                                    iFloris last edited by

                                    The lack of NAT is one of the things that I love about ipv6. Or rather, no longer needing to NAT anything. With ipv6, every global address on you lan is also your public ip. Using public ip's through a firewall without NAT works pretty much the same way on ipv4.

                                    one layer of information
                                    removed

                                    1 Reply Last reply Reply Quote 0
                                    • F
                                      forpfsensebaby last edited by

                                      would you mind to tell me how to make that transparent bridge? use "bridge" under "interface" and select the WAN and LAN? what IPs to put on them? Both public?

                                      1 Reply Last reply Reply Quote 0
                                      • F
                                        forpfsensebaby last edited by

                                        would you mind to tell me how to set up the bridge? just choose "Bridge" and select WAN and LAN? what kind of IPs to give to them? Both Public? Thank you very much

                                        1 Reply Last reply Reply Quote 0
                                        • johnpoz
                                          johnpoz LAYER 8 Global Moderator last edited by

                                          Have you read this thread?

                                          http://forum.pfsense.org/index.php/topic,36562.0.html
                                          Clean Install with pfsense 2.0 using transparent firewall

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 23.01 | Lab VMs CE 2.6, 2.7

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post