1 to 1 NAT Public IPs

  • My ISP has given me a range of 8 public IP to use with my web servers.  After watching this video http://youtu.be/zrBr0N0WrTY it seems the best way to do what I need.  Basically the video shows how to set up virtual public IPs NAT them to internal IPs and create the appropriate firewall rules to let the desired ports pass.  So I have followed the instructions and everything works fine in my sandbox.  But, when I connect to my ISP HTTP traffic does not pass as expected.

    I have a fiber connection to my ISP and they give me an Ethernet connection with a static, public, DHCP assigned address  They say they are routing the 8 IP range to that address.  I don't know how to test if it is actually happening or not.  I've called them and they assure me everything is correct from their side.

    My sandbox setup has the pfSense server getting a DHCP address on its WAN connection from the router connected to the internet.  On the WAN Side of the pfSense router I have an outside test pc and on the LAN size of the router I have an inside test pc.

    • from the outside pc I can get to

    • from the outside pc I cannot get to

    • from the inside pc the exact oposite is true and I cannot get to

    When I plug the internet into the pfSense WAN port I cannot get to the ip address from a computer connected to the internet.

    What am I missing?  Could it be my ISP is not routing the range to me?  Is there anyway to test that? (My current internet router is running DD-WRT for what ever that is worth.)

    Your help is greatly appreciated.

    ![router help.png](/public/imported_attachments/1/router help.png)
    ![router help.png_thumb](/public/imported_attachments/1/router help.png_thumb)

  • They are giving you a routed solution. This would mean that they expect the pc behind the firewall to have a public IP address. Also, you need to have the option on wan not block private ip addresses. You can setup the ips as proxy arp on the wan and then do a 1:1 nat with rules.

  • Just trying to climb a pretty steep learning curve.  Why proxy ARP rather than proxy IP?  If the WAN is listening for certain public IPs shouldn't it just send them to the correct location?

  • Why proxy ARP rather than proxy IP?

    I think you are talking about the same thing.  There are what, 4 VIP types. Proxy ARP, Cluster ARP, IP Alias, and Other (which I have never used or heard of using).
    CARP and IP Alias must exist in the same subnet as the interface that that it is assigned to. ProxyARP does not have that limitation.

  • Under Firewall > virtual IP there are 4 choices Proxy ARP, CARP, Other, and IP Alias.  I've tried all 4 without success.  My next step is to make sure the ISP is actually routing the public IP to me.  Not sure how to do that though ….

  • If you have done a 1:1 nat to your server then any unsolicited request for a port on that server that you dont have a rule for will show up in the firewall rules.

    I log all traffic on my firewall rules to my server and those show up as pass.

    Have any other internet connections you can RDP into and try from?

  • Try this. Setup you LAN with one of the public IPs and then set a server behind it with the next IP in line with the gateway IP of the LAN. Open the appropriate ports to allow traffic. If they are routing your public IP to the WAN, this should work.

  • Here's a quick follow up with what I've done.  After much frustration I had an epiphany that I could set a route on my laptop so that I could test pfSense from the outside the sandbox, simulating what would come in from the internet.  I found these instructions to help with that:  http://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/  With the route on my laptop I could test all the different scenarios and everything was working, except when I plugged into my internet connection.

    Like many tech support organizations my ISP is quick to blame all problems on what I was doing, so I had to figure out a way to prove the problem was theirs.  I loaded wire shark and plugged the network directly into the laptop.  That way there was nothing they could say about pfSense or any other hardware.  It was kind of fun to call the ISP and tell them definitively that the expected traffic was not being sent to me.  I had to explain to them what wire shark was and why it proved the problem was theirs.  >:(  The problem was quickly resolved, after I'd spent hours and hours trying to figure out what "I" was doing wrong.  (Note to self - don't be like the ISP tech support to my own users.)

    Still no happy ending though.  Once I discovered I could test the routing I decided to go with a routed solution rather than 1 to 1 NAT.  After much testing I put the router into production Friday night.  Everything was working, until what I thought was a small issue popped up.  In the process of trying to fix that I added a bad rule or something and the whole thing stopped working  ??? ??? ??? I had to go back to the previous hardware.  I'm still licking my wounds, but I will try again.

  • I am glad that you were able to prove to them that the issue was theirs. Routed is some of the easiest to troubleshoot since there is no nat involved. It is usually some to do with something not using pfSense as the default gateway. This causes a split route and breaks the completed route. Or, it is firewall rule being incorrectly formed. Trace route will help the most here.

Log in to reply