Cannot assign hosts Static IPs - DHCP works

fritzintn · Dec 16, 2013, 5:52 PM

Howdy,

I have a fresh install of pfSense in the following layout:

[Internet]->[Cisco 3550]-> [pfSense w/ static IP]-> [lots of switches]-> hosts

I'm able to access the Internet, gateway, and other LAN hosts when hosts are assigned static IPs.

If I choose a 'static IP' for a host - or place a another router downstream using another subnet (and thus non-matching LAN gateway) - I'm unable to access the gateway or other LAN devices.

I've turned off NAT and attempted a number of other 'fixes' - but I'm now resorting to the forums for help.

johnpoz · Dec 16, 2013, 5:55 PM

" (and thus non-matching LAN gateway) "

Why would LAN interfaces have gateways??

if you have downstream networks from your lan interface then you need to create a route to these networks, and yes a gateway for that route. But you do not apply that route to the lan interface itself.

You say you turned of nat? Is the IP pfsense uses to connect to your cisco a rfc1918 address or public? If wan is rfc1918 on pfsense then I would agree no reason for nat downstream, etc.

fritzintn · Dec 16, 2013, 6:14 PM

@johnpoz:

" (and thus non-matching LAN gateway) "

Why would LAN interfaces have gateways??

Poor choice of words, my bad. There is no gateway under 'Interfaces->LAN'.

To clarify, my WAN IP is '64.129.88.11' using a gateway of '64.129.88.1'
the LAN interface is '192.168.2.1' which is used by DHCP'd hosts as the gateway. That's what I meant by 'lan gateway'.

if I were to add another router off the switch (say 192.168.3.1/24 subnet) ….this needs it's own route?

if you have downstream networks from your lan interface then you need to create a route to these networks, and yes a gateway for that route. But you do not apply that route to the lan interface itself.

Ok, currently I have the route mentioned above of:
Interface: LAN | Gateway 192.168.2.1 | Monitor IP 192.168.2.1

You say you turned of nat? Is the IP pfsense uses to connect to your cisco a rfc1918 address or public? If wan is rfc1918 on pfsense then I would agree no reason for nat downstream, etc.

It's public (64.129.88.11) and I'm attempting to use other public addresses as hosts.

Thanks for your help, once I get this working I'll try to answer other noob questions as penance… :)

Derelict · Dec 16, 2013, 6:33 PM

@fritzintn:

if I were to add another router off the switch (say 192.168.3.1/24 subnet) ….this needs it's own route?

Umm. Yes.

You would need to create a gateway for the device reachable by pfSense on the 192.168.2.0/24 network (netmask assumed since not specified) and create a route for 192.168.3.0/24 that sends traffic destined for that network to that gateway.

IP Networking 101: If a router is asked to forward a packet that is destined for an IP address that is not on a connected interface, the routing table is consulted. If a match isn't found in the routing table the packet is sent to the default gateway if one exists. (technically, the routing table contains information about connected interfaces too, but it's all added automatically so the admin doesn't have to worry about it.)

fritzintn · Dec 16, 2013, 6:49 PM

@Derelict:

Umm. Yes.

Again, poor wording - I deserve that :). I meant to imply that the setting needed to be changed within 'Routes' not elsewhere.

I added under 'System -> Routing -> Routes':

192.168.3.1/32 | WANGW - 64.129.88.1 | WAN

johnpoz · Dec 16, 2013, 7:31 PM

"192.168.3.1/32 | WANGW - 64.129.88.1 | WAN

How would your WAN GW be the route to get to other rfc1918 networks?

"It's public (64.129.88.11) and I'm attempting to use other public addresses as hosts."

How are you going to use other public IPs behind your pfsense that is doing NAT? Or even if NAT is off - not sure how your going to connect to the internet via a pubic interface with private IPs - and how are you going to use other public IPs downstream if pfsense sees this network on its wan?

Unless we are just not connecting here - not only are you new to pfsense, but just basic networking concepts?

Ok we have this

[Internet]->[Cisco 3550]-> [pfSense w/ static IP]-> [lots of switches]-> hosts

which I assume is this

[Internet]->[Cisco 3550]-> 64.129.88.11[pfSense w/ static IP]192.168.2.1-> [lots of switches]-> hosts

so if that 64 network is actual public internet and not some internal network where your doing your own routing - it is impossible for you to use 192.168.x.x addresses and route through the public internet. So pfsense needs to do nat and change those 192.168.x.x addresses to pfsense public IP of 64.129.88.11

If we assume a /24 on pfsense lan network 192.168.2 as mask. And you have some 192.168.3 network connected somewhere on the lan side of pfsense. Then pfsense needs a ROUTE that points to a 192.168.2.? address that knows how to get to 192.168.3.0/? be it your switches are layer 3 or some other routers?

So pfsense sees 192.168 addresses on its lan – you can not just connect a 64.219.88 address on the lan somewhere and expect this to work from the internet or to even talk to 192.168.2.1 (pfsense) And even if you routed it from your lan to pfsense lan - pfsense has a 64.219.88 network directly connected to it.. So why would it route out its lan interface?

So either we are not on the same page of what your trying to accomplish - or we have a disconnect on your understanding of NAT and basic network segments and routing?

fritzintn · Dec 16, 2013, 8:18 PM

Foremost, thanks for the help. I'll throw some btc at the pfsense account later tonight.

While not advised, the link below had suggested such a thing was possible (public and private IPs on the LAN interface):
https://doc.pfsense.org/index.php/Can_I_have_public_and_private_IPs_on_my_LAN_interface%3F
and http://serverfault.com/questions/269195/how-do-i-assign-a-public-ip-to-a-machine-behind-a-pfsense-box-using-11-nat

So I was hunting for whatever black magic allows for such a thing to work.

@johnpoz:

"192.168.3.1/32 | WANGW - 64.129.88.1 | WAN

How would your WAN GW be the route to get to other rfc1918 networks?

My thought process was that the host (192.168.3.100, lets say) would query the gateway (192.168.3.1) which would be mapped by pfSense to the 64.129.88.1. This i obviously wrong, but the gist of what I was hoping for.

Again, just grasping at straws based on the recommendation of the earlier poster to add a route.

which I assume is this

[Internet]->[Cisco 3550]-> 64.129.88.11[pfSense w/ static IP]192.168.2.1-> [lots of switches]-> hosts

That's correct.

So could I use another NIC as say LAN2 and place all my external IP hosts on that interface?

johnpoz · Dec 16, 2013, 8:30 PM

You can assign any sort of address you want to an interface, or as per that doc use "IP alias"

You still run into routing issues and NAT, etc.

Here is the thing do you own or can you use more IPs in this 64.129.88 address space? Do you own – is this you?

NetRange: 64.128.0.0 - 64.129.255.255
OrgName: tw telecom holdings, inc.
OrgId: TWTC
Address: 10475 Park Meadows Drive
City: Littleton
StateProv: CO

If lets say for example you wanted to use 64.129.88.12.. How you would normally do it in your sort of setup that I believe I am understanding correctly is you would put that on your WAN interface as a VIP (ip alias) And then you could either use a 1:1 NAT to some private IP -- say 192.168.2.12, or you could just do port forwarding for the ports you wanted 192.168.2.12 to be the server for when someone tried to access 64.129.88.12

Why do you want to use 64.129.88 addresses? And have they been assigned to you from your ISP or do you own them, etc.?

Since you mention that .1 is your gateway, the smallest network mask that I could see where you have .11 would be /28 since if it was /29 your .11 address would be on different subnet that a .1

Some understanding of who gave you the 64.129.88 address an what its mask might be and how you know to put .11 on your pfsense WAN might help us understand your network more and help you accomplish what it is your trying to accomplish.

fritzintn · Dec 16, 2013, 9:10 PM

@johnpoz:

Here is the thing do you own or can you use more IPs in this 64.129.88 address space? Do you own – is this you?

NetRange: 64.128.0.0 - 64.129.255.255
OrgName: tw telecom holdings, inc.

Yeah, we have 64.129.88.1 - 128

I'm wanting to put assign a dozen of these to machines (and access points) so they are accessible from outside. NAT 1:1 would be ideal.

to use 64.129.88.12.. you ….would put that on your WAN interface as a VIP (ip alias) And then you could either use a 1:1 NAT to some private IP -- say 192.168.2.12

Correct !!

Why do you want to use 64.129.88 addresses? And have they been assigned to you from your ISP

64.129.88.1 is the gateway address that was given by the ISP (tw telecom) along with the DNS servers.

Some understanding of who gave you the 64.129.88 address

I just inherited a spreadsheet :). These were assigned by the ISP (tw telecom) though.

what its mask might be

subnet mask is 255.255.255.128

and how you know to put .11 on your pfsense WAN

This was the router that was used by the previous router (now deceased). But there is no reason it can't be another free IP in the /25 (?) range listed above.

johnpoz · Dec 16, 2013, 9:46 PM

Ok so you have /25 – are there other devices/routers using address space in the 64.129.88.0/25 ? A /25 is decent size - are you using many of these public IPs?

Is the .1 your device? Ie the cisco you show in your drawing? something like this

internet --- publicIP (cisco) 64.129.88.1 --- 64.129.88.11 (pfsense)

A 3350 is a older 10/100 layer 3 switch.. Seems like odd device to be at the border? How does your ISP connection come into your network -- so pfsense is going to be your edge/internet router?

I would not recommend allowing access to AP from outside your network..

How many devices do you have behind pfsense? Is the mask on your 192.168.2.?/24 or something larger? You mention this 192.168.3 -- do you have more segments behind pfsense? you mention lots of switches.. Are they layer 3 and your doing routing internally between your other segments, or are you just one big 192.168.0.0/16 ?

Happy to help you out - the better I understand your network, the better I can help. If your not going to be using pfsense as router for your other lan segments, I would prob put its lan on something other than 192.168 address space if all your space is currently that and pfsense is just going to be an edge router.

You end up something like this

internet - 64.129.88.11 (pfsense) 172.16.0.1/30 --- 172.16.0.2/30 (router or L3 switch) 192.168.0.0/16 networks

This makes it easier that pfsense only needs 1 route 192.168.0.0/16 talk to 172.16.0.2, when you use a segment that falls into your address space your routing you end up with more route entries ;)

Doing this does require manual outbound NAT entries though since network is not locally attached to pfsense. But those are easier than multiple routes if you ask me and could be as simple as 192.168.0.0/16 as well.

If you want to host say a webserver or ftp or ssh or smtp, etc. these are just simple port forwards from your 64.129.88 address space either all using just the one pfsense IP or adding more to pfsense wan, etc.

As to access anything that is not a public service - like your AP interfaces, etc. I would really VPN in for that sort of access. which pfsense can handle as well.

fritzintn · Dec 16, 2013, 10:17 PM

@johnpoz:

are there other devices/routers using address space in the 64.129.88.0/25? are you using many of these public IPs?

About 40 or so should be in use, but since the pfSense switchover yesterday - everyone's back on DHCP :).

Is the .1 your device? Ie the cisco you show in your drawing? something like this

internet –- publicIP (cisco) 64.129.88.1 --- 64.129.88.11 (pfsense)

A 3350 is a older 10/100 layer 3 switch.. Seems like odd device to be at the border? How does your ISP connection come into your network -- so pfsense is going to be your edge/internet router?

It was installed by the ISP in the telecom DMARC room and splits our fiber feed between another customer.

fiber cable -> breakout box -> fiber SC input on 3350 -> ethernet cable out of port 1 runs to our server room and then to pfSense's WAN interface.

wan[pfsense]lan0 -> dlink layer 3 switches
lan1 -> switch for IP cameras
lan2 -> unused but can allocate more switches
lan3 -> unused but can allocate more switches

I would not recommend allowing access to AP from outside your network..

Agreed, but for now we'll use the AP's built in firewall to block things until we get a list of services and properly block them on the pfSense side.

How many devices do you have behind pfsense?

We have 4x 24 port D-Link DGS1210 switches about half full.

These feed to offices where small linksys routers provide wifi and such. It's these small routers/ap's that we'd like to have external IPs as each few ports correspond to a physical leased officespace.

Is the mask on your 192.168.2.?/24 or something larger?

Yeah, 192.168.2.1-255 to supply the 4 24port switches mentioned above.

You mention this 192.168.3 – do you have more segments behind pfsense?

This 192.168.3.* will be used as a DMZ of sorts (for IP cameras and other stuff that should be off the main network). Our pfSense box has 5 NICs in total should these need their own interface.

you mention lots of switches.. Are they layer 3 and your doing routing internally between your other segments, or are you just one big 192.168.0.0/16 ?

They are D-Link DGS-1210-24s and support Layer3. They are just acting as dumb switches for the time being, but we'd like to use some advanced features in the future. Ideally VLAN'ing or subnetting per port as these run to leased offices for other folks. We just provide an WAN connection.

Happy to help you out - the better I understand your network, the better I can help.

Again, many thanks.

If your not going to be using pfsense as router for your other lan segments, I would prob put its lan on something other than 192.168 address space if all your space is currently that and pfsense is just going to be an edge router.

You end up something like this

internet - 64.129.88.11 (pfsense) 172.16.0.1/30 –- 172.16.0.2/30 (router or L3 switch) 192.168.0.0/16 networks

This makes it easier that pfsense only needs 1 route 192.168.0.0/16 talk to 172.16.0.2, when you use a segment that falls into your address space your routing you end up with more route entries ;)

Doing this does require manual outbound NAT entries though since network is not locally attached to pfsense. But those are easier than multiple routes if you ask me and could be as simple as 192.168.0.0/16 as well.

If you want to host say a webserver or ftp or ssh or smtp, etc. these are just simple port forwards from your 64.129.88 address space either all using just the one pfsense IP or adding more to pfsense wan, etc.

As to access anything that is not a public service - like your AP interfaces, etc. I would really VPN in for that sort of access. which pfsense can handle as well.

I think static routes was what I was going for. ie one route for DHCP'd hosts, one route for a downstream router's gateway, etc.

But at this point anything that gets static IPs working is welcome….

mikeisfly · Dec 20, 2013, 11:53 AM

I think I see your problem which johnpoz has correctly identified. I'm a visual person so allow me to present a diagram of what I think you have going on:

I have presented you with two options A or B.

Option A:

Just connect your new PfSense box to your Cisco 3550 and you would need to use NAT on that box to get your clients out on the Internet. The two networks 192.168.2.1 and 192.168.3.1 would not be able to communicate unless you set up a site to site vpn between the both.

Option B:

This is what I think you having going on, the key here is that your second pfsense box or router needs to have an IP in the address space of your pfsense (Firewall) box so that way the two can communicate. Now once you have done that you will either need to running a routing protocol between the two so they can exchange routes, I would suggest RIPv2 because it is easy to configure and it doesn't take a lot of processing power, but there are other options as well like OSPF. If you didn't want to run a routing protocol then you would have to set up static route on both routers so they know how to send traffic to each other.

P.S.

If I had to guess why the 3550 was there is would be so that you connect all your gear to it if you wanted them to have a public IP address which is nice because otherwise you would have to buy one on your own. It also gives your ISP a way to check for connectivity encase there is issue so they can determine is it something on your end or their end.

mikeisfly · Dec 20, 2013, 12:36 PM

One last thing which is very important and johnpoz mentioned it, you would need to put a default route (0.0.0.0/0) on your second pfsense box pointing back to the first pfsense box that is doing the Natting. In Cisco there is a way to distribute a default route using a dynamic routing protocol like rip or ospf, I have not looked into that much with pfsense. If there is not way to distribute the default route automatically then just add it statically and you should be good to go.