Putting servers directly on the Internet



  • I'm not sure if this is a firewall, routing or NAT question, so please point me in the right direction.  ???

    I have a subnet of 8 public IP's that I want to put directly on the internet, no filters, rules, NATs, just directly connected to the web. (they have their own security)  I have pfSense running with WAN, LAN and OPT1.  OPT1 is where I want to put the public IP's.  When I go to myipaddress(dot)com with a computer on the OPT1 or LAN networks it responds with the IP address of the WAN interface.  For the LAN computers this is the desired behavior, but unacceptable for the OPT1 computers. The OPT1 network computers should respond with their public IP address.

    Suggestions?  TIA



  • Assuming the WAN interface is connected to your Internet switch, create a bridge between OPT1 and WAN interfaces and assign the desired public IP address directly on OPT1 computers. By default all traffic will still be blocked, so you need create rules on WAN from * to desired public IP:port for each service to allow the servers to receive incoming connections.



  • Are these physical or virtual machines?



  • @kejianshi:

    Are these physical or virtual machines?

    At the risk of complicating an already complex subject - the servers and pfSense are virtual, running on esxi 5.1.  The LAN side connects to a wireless access point to support the many different devices in the office.  The access point only provides wireless. Everything else, DHCP, routing, rules is provided by pfSense.  This post is being written from the LAN side so I am reasonably sure it is configured correctly.  (I could have, just as easily posted from one of the virtual servers, so I know OPT1 is getting to the internet, it's just not working the way I need.)



  • You can just connect all the OPT1 servers to the same vSwitch as the WAN port if you don't need pfSense's firewall capabilities.



  • The answer is . . . . it is a NAT problem

    Firewall > NAT > Outbound

    • Check the Manual Outbound NAT rule generation radio button
    • When you save a number of rules are generated for your sources
    • Delete the rules related to OPT1
    • Save and apply
    • Enjoy the sweet feeling of success!

    kejianshi - your way would work if we had two internet connections.  We only have one, so pfSense is required.



  • You're just doing things without understanding. You haven't even mentioned what kind of Internet connection it is. How are you getting multiple IP addresses? Direct IP over Enthernet? Multiple PPPoE?

    Deleting NAT rules won't make it work. It will in fact stop OPT1's Internet from working completely. Something else has happened and you don't know what it is. A public IP address cannot magically be used on the other side of an internal interface.



  • "You can just connect all the OPT1 servers to the same vSwitch as the WAN port if you don't need pfSense's firewall capabilities"

    Exactly what I was thinking.  Thats Why I wanted to know if its virtual.

    I like that suggestion.  Seems most simple.  I like simple.



  • @KurianOfBorg:

    You're just doing things without understanding. You haven't even mentioned what kind of Internet connection it is. How are you getting multiple IP addresses? Direct IP over Enthernet? Multiple PPPoE?

    Deleting NAT rules won't make it work. It will in fact stop OPT1's Internet from working completely. Something else has happened and you don't know what it is. A public IP address cannot magically be used on the other side of an internal interface.

    LOL My post count here maybe low, but this ain't my first rodeo. I've played the game of answering questions like yours and I think its a new way of trolling.  Let's see how many pointless and misleading questions we can get the newbie to answer.  Never give all of the details if you don't have to.  Well meaning people get all confused with them and send you down rat holes, and those who know what they are talking about don't need all of the irrelevant stuff.  (the trick is knowing what is and is not relevant.  You learn that by being sent down rat holes.  ::) )

    For those that might stumble onto this thread removing the outbound NAT on the OPT1 interface is an easy way to get your servers on the internet, while still maintaining firewall functionality. (here's an example of a detail I left out on purpose, I want firewall functionality.  But that information would have been too much for this question)  The kind of internet connection is irrelevant, but if you find yourself here make sure your upstream provider has configured their side correctly. Mine swore up and down they had everything working, but it wasn't till I put wireshark on the line and PROVED their configuration was wrong did they fix it. (note to self, do not be like them when providing service to my customers)  Some of the of the search words I used were transparent firewall, Outbound NAT.  I found one thread that really helped me but I've lost it now.

    Mods, this really was a NAT question it might be good if it were moved over there.  Thanks for your work, pfSense and this forum are great.



  • "I want firewall functionality"

    Yeah - I actually thought you didn’t want any of this going through the firewall myself.  Thats why I didn't recommend transparent mode from the beginning.
    Still don't know how much I like "transparent" as it is described in the how-too.  Did you do it?  Works well?

    I've not had an excuse to disable NAT totally yet, so not sure how well it works.



  • @jsigned:

    For those that might stumble onto this thread removing the outbound NAT on the OPT1 interface is an easy way to get your servers on the internet, while still maintaining firewall functionality. (here's an example of a detail I left out on purpose, I want firewall functionality.  But that information would have been too much for this question)

    No removing NAT rules will not get servers public IPs on the Internet on most people's Internet connections. Your WAN interface would either need to be bridged to the internal interface, or your ISP would need to set up routing from their end or accept route updates from your end (very few people have connections like this which is why the type of connection is relevant).

    And secondly, it's obvious that sending traffic across two interfaces on pfSense is so that it can be firewalled. Otherwise you can just do it in VMWare without adding the processing overhead.



  • I could see why I might want some small servers right against the internet and others firewalled.  I took the question seriously.  If I had a SIP server and a bunch of public IPs I'd be tempted to run pfsense + clients along side a completly un-firewalled, un-NATed sip server. NAT+SIP piss me off…

    Not sure why OP got upset?


Log in to reply