VIP - Global IP to a host? I am confused…

Tillebeck

I have tried to create VIP's and ranges of VIPs and mapping these to clients on LAN using 1:1 mapping.

But… I would like to route one of the global IP's (a VIP) directly to the client on LAN. Or instruct the client to setup the client router with IP-info for the VIP.

Is that possible?

Say my pfsense IP is 11.11.11.229 /30
and I get subnet 22.22.22.104 /29 as a VIP
LAN could be: 192.168.1.1 /24

How can let a client connect to the internet with IP 22.22.22.105 from the VIP range?

Metu69salemi

Manual outbound nat or 1:1 NAT is your answer. I personally use MON, because i have 3 subnets to cover with 5 public ip's

Tillebeck

Thanks for your answer.

If I get this right 1:1 is not the solution:

• Using 1:1 NAT the client on LAN will still have the a local IP

• Incoming trafic to the VIP will go to the client

• When testing own IP the "global IP" will just be the WAN address for the LAN and not the VIP, correct?

I would like to give a "real" global IP to a user like I get a global IP from my ISP. Is that possible with pfsense?
I have lets say 100 users and 5 global IP's. Lets say I use 1 IP for the pfsense and let 98 users be on the LAN. Then the last 2 users would like each there global IP too. Can this be done in other ways than 1:1 mapping? I have spare interfaces on the pfsense box

Metu69salemi

You can route public ip's inside pfsense, it's doable yes, but how I don't know(haven't done that).

@Tillebeck:

• Using 1:1 NAT the client on LAN will still have the a local IP

Yes, it's just mapping that one client always have correct/same public ip
@Tillebeck:

• Incoming trafic to the VIP will go to the client

Yes you can do it that way
@Tillebeck:

• When testing own IP the "global IP" will just be the WAN address for the LAN and not the VIP, correct?

Whant to share your idea over here? You can use VIP or hardware ip with LAN

@Tillebeck:

I would like to give a "real" global IP to a user like I get a global IP from my ISP. Is that possible with pfsense?
I have lets say 100 users and 5 global IP's. Lets say I use 1 IP for the pfsense and let 98 users be on the LAN. Then the last 2 users would like each there global IP too. Can this be done in other ways than 1:1 mapping? I have spare interfaces on the pfsense box

Like I said earlier, you can use 1:1 or MON to achieve this. With MON you can also use that ip from different machine.
Like public ip: xx.xx.xx.xx is having www-server @ 192.168.12.3 and e-mail server @ 192.168.13.99 and both of those uses same public ip-address

Tillebeck

Just a short update. VIP or 1:1 NAT mapping works just fine.

Create the virtual IP
Create a 1:1 NAT mapping (VIP to LAN IP)
Create a firewall rule allowing traffic to the VIP

Now the LAN client will see the VIP when testing own static IP and not the IP that all normal LAN users share.

Perfect.

What MON is I do not know. I will look into it.
Thanks a lot

Metu69salemi

MON = Manual Outbound NAT

Tillebeck

Ahh… thanks. That was acticated too due to open op for VOIP from several clients to same external gateway. I read that was needed to have two way sound.