Routed 8 block via PPPoE - how to access the other IPs?
My provider (Aquiss in the UK) has provided me with a lovely FTTC connection that is a routed IP subnet, NOT using NAT. PPPoE is required to bring up the connection.
Assigning the pfSense WAN via PPPoE works fine. automatically providing the first static IP and corresponding first hop gateway; the LAN can surf fine behind that. But I want to map some of the other public IPs to internal hosts.
Apparently once the connection is up via PPPoE, another computer could be hung off a switch and be statically assigned another IP address, but it would use the first public IP address as its gateway.
Here's how I would like it to work, so that I can easily monitor and shape traffic for all of the external IP addresses:
DSL Modem ---->>> PPPoE WAN pfSense | pfSense LAN --->>> LAN computers --->>> LAN Servers with 1:1 NAT to public IPs
I've had that setup work before (minus the PPPoE part), but I think there was another router 'routing' all the IPs to me, but in this case my first IP IS the gateway for the other IPs.
Can one pfSense router do all this or do I need two (and even then, how would I do it)? Tech support told me they use Draytek routers that do an unusual kind of NAT and No-NAT at the same time.
The IP setup is
x.x.x.0 = network
x.x.x.1 = First IP, gateway for other IPs
x.x.x.2-6 = usable IPs
x.x.x.7 = broadcast
That is an interesting setup from your ISP.
It is a routed solution. So, you could put those IPs on a LAN device and it would get routed through the FW. If you want to use them in NAT, then create aliases in the LOCALHOST interface with the ones you are going to pass through NAT. You will need to use manual outbound NAT for port forwards and for the primary outgoing NAT if you are not going to use the WAN assigned one or 1:1 NAT.
Thanks for the reply, Podilarius. Just about the time I received it, I had made some progress.
Once I had given up and tried to put everything back to running on the one IP (the one provided by the PPPoE automatically, the .1) I still could not get things working again! The traffic shaper was blocking all traffic. I'm not sure if this had been a problem earlier in my nearly 24 hours to fiddling, or maybe it just started when I added an OPT interface and shuffled my interface assignments around.
Here is what seems to be working now:
WAN - Gets PPPoE IP / gateway automatically.
OPT - Assigned to the .2 address (probably not required at all)
LAN - as usual
I created Virtual IPs (of type 'IP Alias') for the .3, .4, and .5 addresses.
I created three entries in Firewall -> NAT -> 1:1 each mapping one external address to one LAN address (internal IP, single host).
After that, you still have to make a rule in Firewall on the WAN tab to pass traffic, and here you use the LAN address as the destination for the rule (not the public address).
If you want to ping these you must make a similar rule to do that.
I made a rule to pass ICMP to the .2 address (on the WAN firewall rules page) and that allowed me to ping that also, from other networks.
I feel that I tried this setup much earlier in my efforts and it didn't work, so maybe it was the traffic shaper messing with me or maybe something else! I hope it goes more easily for you if you are in a similar setup.
The setup does seem to make sense, though virtual IPs confuse me a little bit.
First thing, disable or remove any packaged or traffic shaping. They are not necessary for the function of the firewall. You will want to get it working before putting on advanced tools.
You would only need OPT if you are going to run a DMZ. Otherwise, assign IP Alaises to the LocalHost interface for the extra IPs.
Then there will be NAT to work on.