8 virtual IPs, NAT + Subnet problems! SOLVED

Bigg · Jul 28, 2007, 9:11 PM

Ok guys need help setting up new IPs and NAT

I have 8 static ips 87.xxx.xxx.200 - 87.xxx.xxx.207. using OpenDNS servers for OpenDNS

The first one i have added as the WAN IP address as 87.xxx.xxx.200 / 21.

I am not sure if 21 is the right CIDR value here, if someone could clarify that would be great…

Next the 7 other IPs i have added as Vitual IPs (PARP)

87.xxx.xxx.201 / 21
87.xxx.xxx.202 / 21
87.xxx.xxx.203 / 21
87.xxx.xxx.204 / 21
87.xxx.xxx.205 / 21
87.xxx.xxx.206 / 21
87.xxx.xxx.207 / 21

All good so far, or so i thought. Now NAT worked fine on all the ports that were forwarded from the WAN Interface 87.xxx.xxx.200, however port forwarding for any of the virtual ips do not work outside the LAN, (oddly enough they work in the lan.)

LAN computers are all in 1 big netowrk with PFsense as their Gateway and DNS server. They have IPs 10.0.0.x and subnet 255.255.255.0.

I have turned on NAT reflection, and repeat that port forwarding for the virtual IPs only work for the computers inside the lan, eg 87.xxx.xxx.201:80 i set to go to the same server as 87.xxx.xxx.200:80. But from outside the LAN i just get a timeout.

If anyone could check my CIDR / subnets are correct as i suspect they may be a problem. (Im not 100% on how to correctly assign them)

Thanks in advance

BigG

dotdash · Jul 27, 2007, 6:45 PM

I'm guessing you have a /29, not a /21.
The /29 for those numbers would be .200 201-206 would be usable, with 207 as the broadcast.
A /21 would be 2048 IPs… (8 class C networks as opposed to 8 IP addresses)
You should only be using the IPs from 201-206. Subnet mask would be 255.255.255.248.

Bigg · Jul 27, 2007, 6:59 PM

hmm, but ive paid for 8 IPs…., i have before and upgraded to the 8 package, i think i should be using all 8....

dotdash · Jul 27, 2007, 8:33 PM

You may want to verify with your provider as to their setup. If it's a routed subnet, the subnet and broadcast addresses should not be used. Using all 8 if you have a /29 would make your configuration seriously broke. Perhaps they have just given you a block to use within a larger network. Anyway, that's a question for them, and not for someone trying to offer you some free advice- which could be wrong, and which you are free to ignore. I was just trying to give you some help on the CIDR.
PS- Crossposting the same problem to multiple forums is generally considered obnoxious.
PPS- It's CARP, not PARP.

Bigg · Jul 28, 2007, 2:50 AM

Ok called up my ISP (Bethere 24mb ADSL+ 8ips)

they claim that my ips are on a /19 block.

below ive uillustrated how id like the lan to work.

DHCP is fine, all systems on the LAN can access internet fine,but my nat is just NOT WORKING for any of the virtual Ips, the WAN IPs nat rules all work fine.

Any help would be greatly appreciated as i have tried this configuration with a blekin and netgear router before finally taking the plunge to a dedicated router box, first smoothwall, then IPcop (didnt support multi IPs in free editions). Now PFsense is nearly there! Thanks in advance!

dotdash · Jul 29, 2007, 10:05 PM

Not sure if you've figured it out (as title now says solved), but it occurred to me that you might have meant Proxy-ARP and not CARP by PARP. While CARP addresses should have the correct mask, Proxy-ARPs added as you show should have be added as 'single address' /32.