Pfs with multiple public IPs and a subnet? Can I have NAT + Routing?



  • Hello people,

    I am very new to firewalls like pfSense. For a week now I am trying to solve the following problem and it seems that without someones help I wont go very far.

    What I have:

    A virtualization box running Proxmox. The host which is located in a datacenter has:

    1. One public for the host +

    2. Two 'single' extra (public) IPs (each with its own gateway and subnet mask) +

    3. One /28 subnet routed by the DC to the box

    4. One physical NIC on the box

    What I want to do:

    1. Use those extra IPs (single and from subnet) in my KVM in two ways:

    a- Some VMs will get private IPs (192.168.1.x) and hence NAT will be used

    b- Some VMs must get a real IP (from singles or subnet) as I do not want to run those guests with private IPs at all.

    1. I want ALL traffic to those VMs to be controlled by the pfSense box so everything is controlled by the pfSense KVM and no traffic is passed directly by the other KVM unless is 'allowed' by pfSense.

    Where I am stuck?

    First of all, the above scenario is already working without using the pfSense, but only with the iptables of the host, with enabled IP forwarding. I want however to change that and introduce pfSense.

    In the host I have created various bridges in order to route the single IPs and the subnet. It works fine without the pfsense and some of my VMs are working on a real IP which routes to them. (Note that those guest currently have their own internal software firewall and I want to change this so the pfsense should do that –if possible!)

    **Questions:

    1. Can I do the above with pfsense and have guests which are some NAT some with real IPs? Doing the NAT option is easy. What about the routing? Remember that I DON'T want to use internal IPs on some of those VMs

    2. If the routing of guests with REAL ips IS possible, can I still control which traffic to pass to those guests or the traffic will be sent unfiltered so I will be forced to install a software firewall one those guests?**

    Any help is much appreciated!



  • If you are familiar with making the basic pfsense setup to work , that means , assign public ip , assign lan ip , access pfsense , give virtual machines lan address etc.. then the only "problem" you are facing is how to access your virtuals using real ips.

    i think this is your answer

    Youtube Video



  • Anyone?



  • @invader7:

    If you are familiar with making the basic pfsense setup to work , that means , assign public ip , assign lan ip , access pfsense , give virtual machines lan address etc.. then the only "problem" you are facing is how to access your virtuals using real ips.

    i think this is your answer

    Youtube Video

    Thank you for the reply.
    I had actually seen this video before posting however it says how to assign public IPs to internal hosts (meaning that the internal servers have IPs of private range i.e 192.168.0.x).
    Yes this is easy, however this is NOT what I am trying to do here. I want to assign the public IPs DIRECTLY inside the servers so for example all server deamons are bound to a PUBLIC IP and not a private one (which would introduce NATing).

    At the same time (and IF this is possible) I would like to control (at the pfsense level) what ports are open on those public IPs and hence stop/drop everything else, otherwise I would have to install a software firewall inside the VMs.

    Is THIS possible?

    Thank you


Log in to reply