Assigning External IP Addresses to Subnets behind pfSense Box

EScottH

Hello All:

As others have stated before me, I am new to pfSense and looking for some direction from the community.

I installed pfSense on a Dell PowerEdge SC440 a few months ago to replace a Juniper Networks SSG-5 security appliance that was giving us issues.

Before my question, here is a summary of our network:

LAN-1 Server 2008 Domain
Internet == FIOS ONT w/ 5 static IP Addresses via Ethernet == WAN (pfSense Box) <
                                                                                                                              LAN-2 SBS 2011 Standard Domain

The Windows Server 2008 domain is on a 192.168.X.X subnet and the SBS 2011 Standard domain is pre-deployment, in the process of being configured and on a 172.16.X.X subnet.  My firewall rules are set up and both subnets are isolated from each other.

The 2008 domain handles AD/AS, DHCP, DNS and File/Print services.  There are about 5 domain machines/users on the network (Windows 7 Pro), plus three multi-function printers (Konica-Minolta c452 color scan/print, Kyocera B/W fax/print, Dell B/W MFP).

Once setup is complete and it is deployed, the SBS 2011 domain will replace the 2008 domain w/ the same duties, plus Exchange.

What I can't wrap my head around is how to route one of the external static IP addresses to the SBS 2011 domain.  I have looked through the forums, and I am either not finding what I'm looking for or not understanding what I am seeing.

Anyone willing to give me some direction?

Thanks,

Scott

podilarius

What you are looking for is External to Internal NAT. You cannot assign live IP addresses to assets behind the firewall unless you have the help of your ISP. (They have to setup routing on there side). You have 2 choices. 1:1 NAT or port forward NAT. There are many resources available to see how each works.

EScottH

Pod:

Thanks for the direction.  If you don't mind, I'll update my efforts for further help as I try and figure it out.

Scott

EScottH

Pod:

Here is what I have done so far:

I set up a VIP as follows:

Type: IP Alias
Interface: TESTLAN
IP Address(es) - Type: Single address
              Address: (Second Static IP from FIOS) /32

Virtual IP Password: (greyed out)
VHID Group: (greyed out)
Advertising Frequency: (greyed out)

Description: TESTLAN VIP

I then went to (Firewall: NAT: 1:1) and created the following:

Interface: TESTLAN

External Subnet IP: (Second Static IP from FIOS)

Internal IP - Type: TESTLAN subnet
              Address: (greyed out)

Destination - Type: FIOSONT address
                Address: (greyed out)

Description: TESTLAN NAT Rule

The only problem is that when I check the IP address on the SBS 2011 server, it is still showing as the first IP address in the static block and not the one I assigned.

Any ideas?

MACscr

@podilarius:

What you are looking for is External to Internal NAT. You cannot assign live IP addresses to assets behind the firewall unless you have the help of your ISP. (They have to setup routing on there side). You have 2 choices. 1:1 NAT or port forward NAT. There are many resources available to see how each works.

Why wouldnt bridging WAN/LAN be an option?

podilarius

You could but the setup of a bridge and its maintenance of it is a little more difficult imo and there is less options going down that road. It is doable though.

EScottH

Thanks for all the help.  I ended up using our backup connection as a temporary measure until I deploy the new system.

cthomas

EScottH,

Are you performing 1:1NAT for ALL ports?