Adding IPs to WAN connection

kongslide

I'm not a networking expert so please bare with me.

I have a static WAN connection from my ISP that goes directly into PFS and looks like this:

WAN (xx.xx..xx.36/30)<->PFS<->LAN

I asked my ISP for a block of IPs, they gave me xx.xx.xx.216/29. I have no clue how to utilize these IPs. I would assume I need to set up VIPs for the individual IPs (xx.xx.xx.217, xx.xx.xx.218…). Really I'm lost, I just want a specific machine in my network to be accessed on one of these new IPs for http (or any other port for that matter).

I know this might be a simple problem but like I said, I'm not great with this stuff, any help would be greatly appreciated.

Thanks!

kongslide

Wow, I'm glad I'm not the only one that is baffled by this :)

GruensFroeschli

http://forum.pfsense.org/index.php?action=search
Keyword: "VIP"

In short:
1: Add VIP's
2: create NAT forwardings
3: create Firewall rules if not autocreated

PinoVero

this solution is not working for me… or at least not complete

i've "solved" adding manually my ips via shell:

ifconfig rl1 inet alias xx.xx.xx.3 netmask 255.255.255.0
ifconfig rl1 inet alias xx.xx.xx.4 netmask 255.255.255.0
ifconfig rl1 inet alias xx.xx.xx.5 netmask 255.255.255.0

etc... to make it fully works correctly

GruensFroeschli

This works, is unsupported, and wont survive a reboot, or a rebuild of the config files.

What exactly do you mean "it does not work for you" ?

dotdash

Guessing, but his issue could be that you can't add CARP IPs from a secondary subnet. I have a rambling post about the same issue. My solution was to use 'other' VIPs.

nian

I'm having much the same issue …

1. Created VIPs as "Other"
2. Created NAT Port Forward on external address to point to my server's internal address
3. Failure!

... as an alternative test, I did this:
1. Created VIPs as "Other"
2. Created NAT Port Forward on external address to point to pfSense internal IP
3. Success!

Which leads me to believe there is an issue with NAT Port Forward ... it should be able to get to my server's internal IP address! I can ping the server internal IP address regularly from my pfSense box. Is there something I need to configure in NAT?

GruensFroeschli

Can you show screenshots of your first attempt?

Are you sure you didnt mix the NAT rules and the firewall rules up?

cybrsrfr

Pino Vero: If you take the commands you are using, save a backup xml file and download it. Edit the file with your commands adding the following into the <system>tag. Restore the new updated backup configuration. Then your commands will remain after reboot.

<shellcmd>ifconfig rl1 inet alias xx.xx.xx.3 netmask 255.255.255.0</shellcmd>
<shellcmd>ifconfig rl1 inet alias xx.xx.xx.4 netmask 255.255.255.0</shellcmd>
<shellcmd>ifconfig rl1 inet alias xx.xx.xx.5 netmask 255.255.255.0</shellcmd></system>

dotdash

@nian:

I'm having much the same issue …

1. Created VIPs as "Other"
2. Created NAT Port Forward on external address to point to my server's internal address
3. Failure!

... as an alternative test, I did this:
1. Created VIPs as "Other"
2. Created NAT Port Forward on external address to point to pfSense internal IP
3. Success!

Which leads me to believe there is an issue with NAT Port Forward ... it should be able to get to my server's internal IP address! I can ping the server internal IP address regularly from my pfSense box. Is there something I need to configure in NAT?

Try adding a static route to the subnet the other VIPs are on pointing to your WAN CARP VIP. Dig up my old post for the details of my setup- I was able to get the VIPs to work on either the primary or secondary node. This may depend on how your provider is routing the block to you.

nian

Ah, what sucks is, my LAN already has a static route: 10.0.0.0/8 10.x.x.x

I'm hosted at Softlayer, if that helps. They gave me a set of portable IPs (/27) where the first is the network address, the second is the gateway address, and the last is the broadcast address. Everything else in-between is usable.

I added a static route from my portable IPs (subnet /27) as follows: 10.y.y.0/27 10.y.y.y.1
I also tried the public route of my portable IPs (subnet /27) as follows: z.z.z.0/27 WAN_IP

…. where .0 is the correct network address to use with the subnet, and .1 is the correct gateway to use. But I think 10/8 catches it all, and it doesn't route properly.

Could this be the issue? I tried add an alias to an IP address from the portable IP block -- no joy.

dotdash

Here is the other thread: http://forum.pfsense.org/index.php/topic,7039.0.html
My static route was-  WAN (secondary subnet/mask) gateway (the WAN CARP address)