Public IP's behind router



  • Hi,

    First off; thanks everyone for all the great posts; I've picked up a lot and am happily running pfsense and have been for a long time now.

    Question about getting public IP's behind the router.  I'm having trouble finding out exactly how to do this. If I may post a link from m0n0wall that has a good picture:

    http://doc.m0n0.ch/handbook/examples-filtered-bridge.html

    1:1 NAT seems to be working fine; but for various reasons we need the public IP's behind the router.  I have 3 NICS; LAN / WAN / OPT.

    I thought the way to do it would be to have the LAN by itself; then bridge the OPT with the LAN.  I got confused because I was expecting the OPT to take an IP; but it didn't seem to take a value in there.  I tried to continue; but then I got confused when I tried to configure the IP info on the server behind the router - I know the IP and the subnet mask; but what do I then use for a gateway? The WAN IP?  The gateway that the WAN IP uses?

    I'm at the limit of my understanding; so I'm not adverse to people telling me to RTFM; I would be happy with a shove towards the correct RTFM.  I did see the pdf on transparent bridging; but it doens't have a lan and opt segment; and doesn't explain clearly enough for my addled brain to determine exactly how to configure the clients.

    I may have missed a post saying that what I am trying to do isn't possible; but I think it is; I think I'm just confused on the finer points.

    I'm using the stable version 1.01 for this project.  We have a /29 range of IP's. Everything is up and running fine as best as I can tell; I just can't get anything to work via bridging on OPT.  I've set up rules to allow everything; and I had a constant ping running hoping that while I played with settings I might see something appear in the firewall log.  No luck.

    I did a traceroute towards the public IP that I thought I had bridged; but it looped between the ISP gateway and the router.  Not sure what that means; I think that must be a key though.  It meas that something is wrong on the router and not the client I think.  But I'm still not 100% on how to set up the client.

    Thanks for reading; hope this made some sense and I haven't left out any key points.



  • I've never done this but I read about it…

    first, you do not want to bridge the opt with the lan
    you want to use the opt as a dmz

    you will need public ips from your ISP that are in two different subnets
    this way traffic can route between the subnets

    for example you pfsense box may have the following IPs
    WAN 200.100.100.52/30
    DMZ 200.100.101.16/29
    LAN 192.168.1.1/24

    You'll need to setup advanced outbound nat and rules to allow traffic
    wan >> dmz
    dmz >> wan
    lan  >>wan

    You then just need to setup the rules to allow traffic from wan>>dmz and



  • Dang - bridge with lan was a typo - I did mean bridge with WAN.

    Thanks for the reply; that seems pretty close to what I had going.  I was still confused as to what to use on the clients for a gateway?

    And what you describe is very close to what we have from the ISP; eg we have 200.100.100.100/30 and 200.101.100.100/29 (they differ at the second set of numbers).

    When troubleshooting a setup like this; will all blocked traffic show up in the firewall logs?  That is how I determined stuff was working before; I'd attempt the connection and then verify it was blocked; then I'd know it was reaching the right place; then I'd make the rule to allow it.

    Sorry if this is not making sense; I'm at the outer limits of my networking knowledge.



  • the servers in the dmz would use the router's dmz IP address for their gateway



  • When you bridge, pfsense is completely transparent. Just like as described in the linked m0n0wall documentation (which I wrote). Your public IP's in that case will be communicating directly with your WAN. Their gateway is not the DMZ IP, as there is no IP on a bridged interface. It'll be whatever the gateway is on your WAN segment. See the diagram and read the linked m0n0wall documentation thoroughly.



  • how would bridging affect his LAN traffic?



  • @tedced:

    how would bridging affect his LAN traffic?

    If I understand correctly; the LAN traffic will have to access the WAN and bridged interface through the external IP which makes sense because it has no internal IP.  Otherwise it should be unaffected.  (This is my understanding, and I may be incorrectly stating something.)

    I won't get a chance to try this again until Monday.  I think I was very close; but as it wasn't working I must have been off somewhere. Previous to knowing that the OPT interface would use the same gateway IP as the WAN; I did spend (waste) some time trying other IP's as the gateway.

    That m0n0wall page is great; it was perhaps the best page describing what I wanted to do.  Which surprised me a bit; because it seems like a fairly standard setup to me.  I also spent some time with a Cisco router. My first contact with IOS.  I like pfSense better.  ;)

    Thanks for all the posts so far; I'll be sure to post back with my results.



  • ;D
    I'm all set.  I was closer than I thought.  Turns out I misread the docs our ISP provided.  In my defense; they weren't as clear as they should have been. But in their defense; I'm not as bright as I should have been!

    Regardless; the questions I asked I still needed answers to; so I haven't wasted anyone's time.

    Thanks for the help.



  • I am working on a similar implementation. I am wondering if pfSense suffers from the same issue as Monowall does listed in the linked documents.

    Note:
    Remember you cannot access hosts on a bridged interface from a NAT'ed interface, so if you do have a LAN interface set up, you won't be able to access the hosts on the bridged interface from the LAN.

    http://doc.m0n0.ch/handbook/examples-filtered-bridge.html
    http://doc.m0n0.ch/handbook/faq-bridge.html

    If I am reading this right does this mean that if I have my DNS servers on either the briged or natted/private side of the network that they will be unable to talk back and forth??

    Your input is apperciated.
    zktech


Log in to reply