Assigning External IP Addresses to Subnets behind pfSense Box



  • Hello All:

    As others have stated before me, I am new to pfSense and looking for some direction from the community.

    I installed pfSense on a Dell PowerEdge SC440 a few months ago to replace a Juniper Networks SSG-5 security appliance that was giving us issues.

    Before my question, here is a summary of our network:

    LAN-1 Server 2008 Domain
    Internet == FIOS ONT w/ 5 static IP Addresses via Ethernet == WAN (pfSense Box) <
                                                                                                                                  LAN-2 SBS 2011 Standard Domain

    The Windows Server 2008 domain is on a 192.168.X.X subnet and the SBS 2011 Standard domain is pre-deployment, in the process of being configured and on a 172.16.X.X subnet.  My firewall rules are set up and both subnets are isolated from each other.

    The 2008 domain handles AD/AS, DHCP, DNS and File/Print services.  There are about 5 domain machines/users on the network (Windows 7 Pro), plus three multi-function printers (Konica-Minolta c452 color scan/print, Kyocera B/W fax/print, Dell B/W MFP).

    Once setup is complete and it is deployed, the SBS 2011 domain will replace the 2008 domain w/ the same duties, plus Exchange.

    What I can't wrap my head around is how to route one of the external static IP addresses to the SBS 2011 domain.  I have looked through the forums, and I am either not finding what I'm looking for or not understanding what I am seeing.

    Anyone willing to give me some direction?

    Thanks,

    Scott



  • What you are looking for is External to Internal NAT. You cannot assign live IP addresses to assets behind the firewall unless you have the help of your ISP. (They have to setup routing on there side). You have 2 choices. 1:1 NAT or port forward NAT. There are many resources available to see how each works.



  • Pod:

    Thanks for the direction.  If you don't mind, I'll update my efforts for further help as I try and figure it out.

    Scott



  • Pod:

    Here is what I have done so far:

    I set up a VIP as follows:

    Type: IP Alias
    Interface: TESTLAN
    IP Address(es) - Type: Single address
                  Address: (Second Static IP from FIOS) /32

    Virtual IP Password: (greyed out)
    VHID Group: (greyed out)
    Advertising Frequency: (greyed out)

    Description: TESTLAN VIP

    I then went to (Firewall: NAT: 1:1) and created the following:

    Interface: TESTLAN

    External Subnet IP: (Second Static IP from FIOS)

    Internal IP - Type: TESTLAN subnet
                  Address: (greyed out)

    Destination - Type: FIOSONT address
                    Address: (greyed out)

    Description: TESTLAN NAT Rule

    The only problem is that when I check the IP address on the SBS 2011 server, it is still showing as the first IP address in the static block and not the one I assigned.

    Any ideas?



  • @podilarius:

    What you are looking for is External to Internal NAT. You cannot assign live IP addresses to assets behind the firewall unless you have the help of your ISP. (They have to setup routing on there side). You have 2 choices. 1:1 NAT or port forward NAT. There are many resources available to see how each works.

    Why wouldnt bridging WAN/LAN be an option?



  • You could but the setup of a bridge and its maintenance of it is a little more difficult imo and there is less options going down that road. It is doable though.



  • Thanks for all the help.  I ended up using our backup connection as a temporary measure until I deploy the new system.



  • EScottH,

    Are you performing 1:1NAT for ALL ports?


Log in to reply