Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need a Maestro's help

    Firewalling
    3
    5
    2.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GettingTooOld
      last edited by

      5 years ago I had my own firewall in Redhat with IPTables, and I was happy…I think

      Anyway that was a past life, and now I'm wanting to setup a new network...and I have not done any of the firewall stuff in 5 years.

      First let me say, I tried IPCop first and tossed it, the PFSense dual Wan caught my attention. Plus PFSense seems much more flexible and functional, and functionality can be hard for us old farts. Cause I'm yet to understand it.

      Anyway here is what I have

      Comcast Business Netgear Router with 5 static IPs
      |              IP1.XXX.XXX.241 - IP5.XXX.XXX.XXX.245
      |              GW.XXX.XXX.XXX.246
      |              255.255.255.248
      |              DHCP Server unning 10.1.10.x network
      |
      |
      Old IBM P2 Server 512MB Ram 4G Scsi Hard drive with 4 Nics with PFSense installed
      |  |  |  |
      |  |  |  |
      |  |  |  |- NIC1 WAN - connected to Comcast Router
      |  |  |   
      |  |  | --- NIC2 Future second WAN to DSL or T1
      |  |     
      |  |-------NIC3 LAN
      |
      |---------NIC4 OPT1 - For DMZ

      Here is where I'm confused:
      I thought we could assign a series of IP Address to a NIC, in this case I thought I would assign the 5 Static IPs to the WAN NIC and the 10.1.10.x network.
      On the WAN Interface configuration page if assign a static IP, will I consume this IP? Or can I use to to NAT to a server in my DMZ? Or can I just choose DHCP and allow the Comcast router to assign a IP from the 10.1.10.x pool?

      Interface WAN:

      Type:          Static
      IP address:  IP1.XXX.XXX.241
      Gateway      GW.XXX.XXX.246

      Block private networks: checked
      Block bogon networks: checked

      Interface OPT1:
      Type:            Static
      IP address    10.40.0.1
      Gateway        <blank>I tried to NAT 1:1 on WAN IP1.XXX.XXX.XXX.245 to 10.40.0.11 but gave an  error saying I could not use a WAN IP Address.

      So as you can see I hopeless loss with out a nice how to for dummies.

      Any help would be appreciated.

      Thanks</blank>

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        @GettingTooOld:

        Here is where I'm confused:
        I thought we could assign a series of IP Address to a NIC, in this case I thought I would assign the 5 Static IPs to the WAN NIC and the 10.1.10.x network.

        that 10.1.10.x network is currently, and will remain, outside your firewall? I wouldn't use any private IP's on that side of your network unless you have some good reason I'm missing.

        You can assign one public IP to your WAN interface, and the rest as VIP's. They can all be used for NAT then.

        @GettingTooOld:

        I tried to NAT 1:1 on WAN IP1.XXX.XXX.XXX.245 to 10.40.0.11 but gave an  error saying I could not use a WAN IP Address.

        You can't 1:1 the IP that's on the WAN interface, you can only forward ports off that IP. The additional IP's in VIP can be used for 1:1 NAT.

        1 Reply Last reply Reply Quote 0
        • G
          GettingTooOld
          last edited by

          You're right I don't really want to use the 10.1.10.x network.

          OK, I restored the defaults…so lets give it another try.

          Interface WAN:

          Type:          Static
          IP address:  IP1.XXX.XXX.241 / 32
          Gateway      GW.XXX.XXX.246

          Block private networks: checked
          Block bogon networks: checked
          VIP IPS.XXX.XXX.242/32 Type IP (selected Other)
          VIP IPS.XXX.XXX.243/32 Type IP (selected Other)
          VIP IPS.XXX.XXX.244/32 Type IP (selected Other)
          VIP IPS.XXX.XXX.245/32 Type IP (selected Other)

          Interface LAN:

          Bridge with :none
          IP Address  :10.20.0.1/24

          Interface OPT1:
          Type DHCP
          Bridge with: none

          NAT 1:1
          Interface    External IP            Internal IP
          WAN          IPS.XXX.XXX.242/32    10.40.0.242/32
          WAN          IPS.XXX.XXX.243/32    10.40.0.243/32
          WAN          IPS.XXX.XXX.244/32    10.40.0.244/32
          WAN          IPS.XXX.XXX.245/32    10.40.0.245/32

          FIREWALL RULES:
          Interface    Proto      Source    Port      Destination    Port    Schedule
          WAN          TCP        *            *          *                  *
          OPT1        TCP        *            *          *                  *

          Client / Server
          IP          10.40.0.245
          Subnet  255.255.255.0
          Gateway 10.40.0.1

          (I tried use use DHCP too) for the Client.

          OK This should be wide open and simple, but here is the problem...me too old...or dumb one.

          When I enter the IP address for OPT1  (10.40.0.1) with bridge to none, and it set to Type DHCP and the client to DHCP no IP Address is assigned.
          When I enter the IP address for OPT1  (10.40.0.1) with bridge to none, and it set to Type Static and the client to 10.40.0.245, the client can't ping 10.40.0.1 or anything else.

          What am I missing.

          Thanks a bunch.

          1 Reply Last reply Reply Quote 0
          • S
            sai
            last edited by

            If you want pfsense to act as a DHCP server for your OPT1 interface then you need to turn on the DHCP server under the Services > DHCP server menu option.

            Under the Interfaces > OPT1 menu option, if you set the 'Type' to DHCP then that means that the OPT1 interface will get its IP address by DHCP from some DHCP server. You will only ever set DHCP for an interface that is a connection to an ISP, gets its IP address from the ISP.

            ISP connections always have  a gateway defined.  LAN interfaces will never have a gateway defined.

            HTH

            sai

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              Don't set your OPT interface to DHCP unless it's connected to an ISP. If it's an internal segment you need to define its IP there. Then configure the DHCP server appropriately.

              Your VIP's likely need to be type Proxy ARP or CARP unless they're routed to your WAN IP by your ISP, which isn't typical.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.