NAT - 1:1 - or VIP's or….what?



  • Hi all,

    I've had a little look at NAT and 1:1, and at the moment I NAT 700+ internal IP's over 12 circuits, each circuit having 1 public IP.

    My questions are, if I buy a block of 1000 public IP's from my ISP would I then just do 1:1 NAT so each customer receives his own IP?
    At the moment I have one internal subnet using 172.16.0.0/16(yes I know it's a large broadcast domain), I may split this into 3 separate subnets, 10.1.0.0/22, 10.1.4.0/22 an 10.1.8.0/22.

    How would one go about giving each subnet a block of public IP's, can I make them sticky like in DHCP?

    Any help much appreciated.



  • Fusionp,

    A 1:1 for each customer would probably be a royal pain in the butt to maintain. I would suggest getting your own PI block and ask your ISP to host the BGP advertisement for the block. They could then route the entire block to you via a single static public on your WAN. The first usable would then be on your LAN. From there you could run DHCP on the LAN handing out your public addresses. It would look something like this…

    (BGP at ISP)------------>(ISP ASSIGNED IP)[pfSense](PI BLOCK FIRST USABLE)–------->customers...

    The ISP would route your PI block through your WAN IP. You would need to set pfSense in 'router only mode' from the advanced options.

    If you are set on NATing these, I would create three VLANs or use three physical interfaces, and have your ISP assign you three different blocks to your WAN. You could then use IP alias on your WAN for the various IP addresses.



  • Thanks stsowen683

    Currently I use multi wan load balancing, will the BGP option work across many links, and will a client device which is issued a public IP via the ISP work if it's connection goes out a different interface every few minutes? In fact if I use the NAT/Alias option would this also be affected with multi wan?

    Thanks for the suggestions!



  • You're an ISP I presume, you shouldn't be NATing anything. Route public IPs, and have BGP advertisements out all your connections prepended as desired for ingress balancing. Your customers should have public IPs directly assigned to them, no NAT.



  • Thank you, we are looking to register with RIPE in Europe to lease/but a block of public IPs. My understanding of BGP is limited at best. I'm trying to understand it, lets say I receive a /22 block of public IP's, my ISP then implements BGP and I issue out those public IP's to my clients, if I had four interfaces/circuits to the ISP and multi-wan load balancing, would I divide up the /22 to issue out public IP's equally over the 4 interfaces? I'm battling to see how my balancing would work if it's session based.

    Granted my knowledge in this area is lacking, but the simple question I have is, can I have both the balancing operational and the public IP's split over many WAN links?



  • @fusionp:

    Thank you, we are looking to register with RIPE in Europe to lease/but a block of public IPs. My understanding of BGP is limited at best. I'm trying to understand it, lets say I receive a /22 block of public IP's, my ISP then implements BGP and I issue out those public IP's to my clients, if I had four interfaces/circuits to the ISP and multi-wan load balancing, would I divide up the /22 to issue out public IP's equally over the 4 interfaces? I'm battling to see how my balancing would work if it's session based.

    Granted my knowledge in this area is lacking, but the simple question I have is, can I have both the balancing operational and the public IP's split over many WAN links?

    fusionp,

    That is a bit of a brain teaser. I have used multi-wan on pfSense before, but never in a configuration I wasn't NATing. There are essentially two ways to utilize your PI block. First, you can ask your upstream ISP to advertise your block via BGP for you then route the entire block via a single circuit/IP on your WAN or cut the block up and route it via multiple circuits via WAN1, WAN2, WAN3. You would then assign one IP from each section to corresponding 'inside' interfaces like LAN, OPT1, OPT2. I don't see how you could have these dynamically load balance though.

    The second option is the one I would take if it was my network. I would install the package OpenBGP and BGP peer with your upstream carrier(s). In this configuration, you are actually advertising your own block to the rest of the Internet. I'm not sure how this would play using the same carrier on all your WAN links, and depending on what is downstream from you you might need a LOT of ram, but you would essentially get the load balancing you want as a side effect of using BGP.

    You can set up a simulation with four pfSense boxes. Set up three of them as the 'ISP peers' and one as 'You'. Make up some nonsense IP addressing and set up the OpenBGP peering between them. You will see how the traffic will get distributed across links and how it will provide failover in the event you unplug one of the links. BGP has a lot of knobs and switches so play with those and see how it effects which links are favored etc. You will need to put a workstation or something 'beyond' the ISP peers that you can send and receive traffic to/from.



  • Thanks stsowen683, good useful info! I'll look into that.


Log in to reply