How can I achieve this with my current setup?
-
Hello all ;D
Here is my setup: http://i.imgur.com/IMJ2gM6.png
I have the purple part done, I have the first public IP address (ISP gave me 32 public IPs) assigned to WAN interface, but Windows in the server has no internet connection and I can't ping anything in Pfsense.
WAN: xxx.xxx.xxx.98
Subnet: /27LAN: 192.168.2.1
WLAN: DHCP
You don't need to explain me everything with detail, give me a quick summary and I'll look for documentation.
-
You need to use Virtual IPs to take advantage of the extra IPs you have available. From there you can do 1:1 NAT to assign local private IP systems to a specific public IP. Assuming you want private IPs on the local servers instead of trying to assign public IPs to a machine.
-
I want to use the public ip's and assign them to my computers (20 computers) or am I asking the impossible?
-
No, it's not impossible but they would then basically be "parallel" to pfsense and not "behind" pfsense. In other words, you would lose any protection applied by pfsense and they would really need to be connected to the same switch/VLAN as the WAN side of pfsense. The only way I can see being able to utilize public IPs behind pfsense (or any firewall/router for that matter) is if you had routed IPs and you could assign your /27 to the LAN side (or were doing some form of RIP or BGP or something).
-
wow, you lost me there, where can I read more about "routed ip's", I wasn't really looking for the protection in pfsense, I wanted the traffic shaping in it :P
-
Normally when you get a block of IP addresses from an ISP, the WAN side has a random IP address assigned to it out of their pool. The LAN side gets a routed block of IPs via RIP usually. The difference with conventional ISPs is that the Cable/DSL modem or even T1 router has the WAN address and it's ethernet port is the start of your routed IP addresses (usually taking up one of those IP addresses in the process). I'm not exactly sure what kind of service you have or what provider you have but the fact you've gotten a /27 means you probably aren't on a typical Cable/DSL circuit. To really make it work, you would need a direct Ethernet hand-off from the ISP so that the WAN side of pfsense really was the WAN and not a modem/router in front of pfsense.
-
How do I get direct Ethernet hand-off from the modem? I can access it and change it ;D
-
Post a picture of your line coming in to your house where it goes into the modem and so that people can see the model number of the modem and tell people who your internet company is so maybe someone who knows how they do business can help you. Black out your MAC address.
-
Model is TP-Link TD-8840T. ISP is somewhere at Central America, so i doubt that would help.
Also, if I assign a VLAN to every public IP, do every sites see the public IP for each computer?
-
http://www.tp-link.com/Resources/document/TD-8840T_V4_User_Guide.pdf
Section 4.4.1.6 Bridge
I bet you have to bridge to your ISP's network, but first you would have to bridge the modem to your pfsense WAN.
Then do something like this for each IP assigned.
http://www.youtube.com/watch?v=zrBr0N0WrTY
I'd want pfsense doing all the heavy lifting, not that modem. Just use the modem as modem only.
Thats assuming your ISP isn't doing something goofy.
When you get a /27 handed over, you really should make sure they tell you EXACTLY what method will be used to allocate that.
You need to know at least your IP range, you gateway etc. You will burn up a couple of IPs for the pfsense and the gateway and have 30 left to hand out.(P.S. I see no reason why it can't be done, but how fast can each separate IP get if all 30 of them are being delivered over 1 DSL line?)
rhetorical question…
Downstream: Up to 24Mbps total
Upstream: Up to 3.5Mbps total -
Sadly no, downstream: 8mbps and upstream: 1mbps. Which is why it's important to me the traffic shaping part.
I only have about 20 clients requiring public ips so I can spare 5 ips max.
-
If you bridge it to pfsense WAN so that ONLY pfsense touches the Modem and no other computers then assign your IPs like the video shows and use VLANs and a Nice big VLAN switch, you can do it. I had something very similar when I had to install one for a friend. He had a /30 I think with Verizon FIOS. He lived in an apartment so they wouldn't bring fiber to his door. Instead they brought fiber to the building in a electrical room and then routed DSL from the fiber modem to each room. It would actually have been ALOT better for you had they given you a modem only, and not the combo device.
Then I had to do basically whats in that video. Worked fine on FIOS wanna-be DSL.
-
Sorry, I'm out right now and can't watch the video clearly in mobile. I'll watch once I get back home.
I have an unmanaged gigabit switch, can I use that instead of buying a VLAN switch?
Also by combo device, do you mean a simple router instead of ADSL2+ modem router?
-
No - you will either need 30 LAN ports or a 30 port VLAN switch to deliver 30 separate public IPs to 30 Devices. This is one of those times where I would use a VLAN switch. Its more cost effective than 30 NIC cards… Someone else might have a better answer than that for you.
-
Hmm, this is outside my usual experience but you can traffic shape on a per IP basis rather than per interface. I would think you could achieve this without needing to use VLANs to separate each client. Also you can disable NAT entirely and have your /27 routed to the clients. How that is done is entirely dependent on how your ISP is providing it though. In that situation you still have the ability to control traffic with firewall rules.
Steve
-
So even with NAT disabled, traffic shaping should still be able to function?
-
Yes. The traffic is still routed through the box so shaping can be applied. As can firewall rules.
There's a good example of this in the existing pfSense book if you have it, Section 8.2.Steve
-
Here's what I just did:
Disabled NAT, plug a laptop to the LAN interface (192.168.2.1), the laptop got assigned 192.168.2.103. Did the virtual ip and 1:1 NAT like here: http://www.youtube.com/watch?v=zrBr0N0WrTY
I can access WebGui from laptop to 192.168.2.1. I can ping any IP from Pfsense, but laptop cannot connect to any external sites yet.
-
Can you ping your gateway? Do you have DNS servers assigned in pfsense?
stephenw10 will know more than me about traffic shaping. I don't use it.
I have set it up a few times to test and its straight forward.
Bandwidth flows like water here for my needs.However, I think you will want to make sure you can ping the gateway and get DNS assigned if you have not.
A good place to start is 8.8.8.8 and 8.8.4.4 but you can research DNS options later.system > general setings
-
I can ping xxx.xxx.xxx.98 (pfSense Wan) and 192.168.2.1 (pfSense Lan)
But cannot ping xxx.xxx.xxx.97 (ISP gateway)DNS is set to Google's in Pfsense, also set it to the laptop.
pfSense can ping any external IP.
-
haha - Well you can ping your internal network. Thats a plus. Could be worse I guess.
Can you post screen shots of the setting you have entered? -
I think I got confused.
stephenw10 said I could do it without VLAN, but I did what the guy in the video did, which I think you told me it requires a managed switch.
-
Well - Perhaps me and stephen10 have differing ideas of what you define as a "client"
I'm defining a client as a bunch of separate IP cameras and local computers in your immediate vacinity.
In which case I'm thinking, perhaps wrongly so, that I'll need a vlan switch to get public IPs to all those devices.Perhaps he is thinking of client as clients…. As in people you are supplying IPs to for $$$
Or he could know something I don't. A better way. -
You should be able to do this either way. I have to confess I have only done this experimentally so I'm a little unsure on the detail.
Using virtual IPs and 1:1 NAT will probably be easier to setup. You have to leave NAT enabled for that to work though, that's probably why you can't ping the gateway (or aren't seeing the ping responses from the gateway).Steve
-
I think this is a "Too many cooks in the kitchen thing" like you said before stephen10.
I'll shut up a while so directions for 2 differing recipes don't get mixed into one. -
I just enabled NAT back, but laptop can't ping any external sites.
Here's album:
http://imgur.com/a/PJCsF
External IP(/27) and Virtual IP are the same.
-
Ok.
In the first page you said you wanted the public IPs actually assigned to the internal machines but here you are trying to 1:1 NAT to private IPs. You should be able to either but decide which way you need to go. 1:1 NAT is going to be easier to setup, a bit tedious but with only 20 clients do-able. However some software insists on having a public IP and won't run behind 1:1 NAT.Steve
-
Ok, sorry!
With NAT, internet connection works, but the laptop is using xxx.xxx.xxx.98 as public IP (pfSense WAN IP).
Well, I can go either way, as long the outbound connection uses a different IP for every computer. My current setup with my clients are using a public IP for each, but different ISP (different IP's), so I guess maybe we should try this way?
-
wow ok, whatismyip.org just reported my IP as xxx.xxx.xxx.99 ??? I'm going to try now with a simple 5 port switch with another computer. Let me report back, thanks.
-
Your virtual IP should be /32 (a single IP) since you have 1:1 NATed it to a single internal IP. Setup 20 VIPs, one for each internal device.
It may be possible to do the entire /27 range, though I've never done that and there would be a conflict with the WAN address.Steve
-
;D http://i.imgur.com/pV1T3wv.jpg
Now to the other issue, I don't have internet connection nor I can access WebGUI in host machine (where VM is running), but LAN interface is getting an IP from DHCP from pfSense VM.
-
Hmm, I think we'll need some more details there. What is the host OS? What virtualisation software are you using? How many NICS?
Steve
-
"I don't have internet connection nor I can access WebGUI in host machine (where VM is running)" :o :'( :D
'Thats the first time "VM" has come up… -
haha, sorry for abusing you :D
I'll read it into it more and see if I can figure it out. For now pfSense in the VM is working properly. Will report anyway. Thanks.
-
Its no big deal - I never asked what is physical and what is virtual. These days, it should probably be a standard question I ask up front. So, did you get that info? OSes involved, VM type (vmware, virtual box?), etc.
-
It's a Windows 7 running VirtualBox, there are 2 physical NIC's, 1 Wireless Card.
In the VM Side, Wan is bridged to 1st NIC, LAN is bridged to 2nd NIC. For now Wireless is isolated.
I haven't had time yet to keep testing, I will report as soon as possible.
-
You did show a virtual environment in your first diagram, it just wasn't clear to me how things were connected.
It's hard to say quite what the issue here is. How does Windows see the NICs? If the host is receiving an IP from the pfSense DHCP server but still cannot access the webGUI I would suggest it is defaulting to using the wrong NIC. It would not be able to do so via the pfSense WAN unless you have enabled firewall rules to allow it. If the other NIC is not setup in Windows correctly then that would explain why it cannot get internet access.
Steve
-
Let put that asides for a moment, do you know why after changing LAN from default (192.168.1.1) to anything else (ie. 10.0.0.0), I can't access WebGUI or have internet access.
-
From where?
Did you refresh any dhcp leases?
It's sometimes necessary to restart the pfSense box to flush any references to the old address, or at least that's the easiest way.
Steve
-
I solved it, I took out TCP/IP in host (Windows) and used internet connection to connect to WebGUI.
But I got another issue, Virtual IP and Nat 1:1 is working fine in all the computers, except a Ricoh Printer (MPC2050), every computer in Lan can ping it (10.0.0.99), but none can ping its external ip (xxx.xxx.xxx.99). Even the printer itself can't ping anything outside.
