How to setup 20 public IPs



  • Hello,

    I've been using pfSense for a couple years as edge router/vpn/remote access devices. Basically, the easy stuff.

    Now I've been tasked with setting up a 10-20 webservers in a data center. These will be public facing servers so my first thought is to setup a pfSense router to block most traffic and just pass http/port80 to the servers.

    • do I just add/multi-hone the main WAN interface with the 20 IPs?
    • I've seen some posts about bridging the WAN interface but still need to read more

    Can someone give me 'headed in the right direction or no read up on bridging' opinion for the following scenario?

    • I believe we are getting a /28 for a total of 16 IPs (so 1.2.3.x/28 gives me 1.2.3.0-1.2.3.15, 14 usable)
    • the LAN side would be 192.168.1.0/24, webservers starting at 192.1681.101
    • create a rule that state 'In from WAN 1.2.3.1 any port to LAN 192.168.1.101 port 80'
    • create a rule that state 'In from WAN 1.2.3.2 any port to LAN 192.168.1.102 port 80'
    • create a rule that state 'In from WAN 1.2.3.3 any port to LAN 192.168.1.103 port 80'
    • etc for all remaining  IPs


  • This can be accomplished in a number of ways.
    You can use 1:1 NAT. Which is basically what you listed, but everything get forwarded and you have to create the rules manually to allow port 80.
    You can use port forward and the port forward rules will create FW rules for you.
    You can use a bridged solution where the live IPs are on the web servers and the FW limits only by port. (to me this is over complicated, but it works as in no NAT, invisible FW, and the like).
    You can use a routed solution where WAN has a /30 and your ISP forwards your /28 to your WAN IP Address. This takes your ISP and you to work together. But live IPs on the webservers and you can route multiple subnets to your pfsense machine. You would only then need to create rules to pass the traffic. No NAT will be required and will be turned off.
    There are also other considerations. Like, if you plan on one day clustering FWs, you would go ahead and setup CARP virtual IPs. If you only ever plan on using just 1 FW, then IP Alias is the way to go. That is if you are not going to bridge.

    I know this muddies the situation, but all are viable and will need to be worked out prior to you setting up.



  • Time to resurrect an old thread.

    I've added a Virtual IP, then added 1:1NAT, and added a firewall rule. The web site on the inside at 192.168.0.102 is working fine.

    When I try to go to http://1.2.3.2 it just times out. I think it must do with the WAN address on the pfSense router. Right now I have 1.2.3.1/28 should I be changing that? It seems to me it is only listening on that single IP address.

    1.2.3.2 should point/forward to 192.168.0.102

    FYI, I'm not actually using 1.2.3.1, I'm using this as my substitute.



  • Looked around some more. It looks like the adding the Virtual IP (s) is the equivalent of multi-honing the box.

    See
    https://www.youtube.com/watch?v=5lMRA1ntgz8
    for getting it up and running with the bare essentials

    My problem was I only added a firewall rule for port 80/http when I needed to also add 443/https. cPanel takes the main IP (http) and forwards it to IP (https).

    Hope this helps others.



  • In your VIP configuration, try to specify your WAN IP considered, as a /24 and not a /32.

    For instance…
    Let say your ISP gave you this set of IPs :
    193.204.32.1, .2, .3, .4
    Let say you want your web site on the 193.204.32.3.
    In your VIP configuration, spercify the VIP IP as 193.204.32.3, but force it on /24 mask (not a /32).