Multiple IPs



  • Hi folks.

    I'm a bit confused. I'm going to roll out pfsense on our network in the next couple of days.

    I have 2 DSL connections. My primary one will be using pppoe (by pfsense) and has 8 static IPs.

    My OPT interface will be using a modem router (as pfsense cant do dual pppoe) and it has a dynamic IP.

    I would like my servers to use the primary interface however how to I assign each of my static IPs to a server (Natted).

    eg. xx.xx.xx.21:80 would go to 192.168.0.10 and xx.xx.xx.22:80 would go to 192.168.0.11 for example.

    I want to use the above in conjunction with some load balancing and policy based routing. Also, if for example, 192.168.0.11 would request something from the internet, what IP does the remote server see?

    Cheers in advance.



  • OK i did some forum searching and it seems the general method of assinging ips to internal servers is:

    Setup ProxyARP VIP for respective external IP to internal server
    Setup 1:1 NAT
    Setup port forwarding for the service you require.

    Will the above method make all requests FROM my internal servers appear on the new external IP?

    Also, I want to incorporate this with loadbalancing. I want my servers to ONLY use this parimary DSL connection (which provides the static IP) - do I still need to create the firewall rules to only allow the server to go out via the DSL1 gateway or will the proxyarp'ing take care of that?

    Also, what is the 1:1 NAT in the above suitation actually used for? Cheers



  • Yes the requests from the servers will apear as if they originate from the corresponding VIP.
    This is what the 1:1 NAT does.
    1:1 NAT is bidirectional.

    You dont need to setup port forwards on top of 1:1 NAT.
    –> 1:1 NAT NAT's all ports from a VIP to a Server (ports 0 to 65535).

    Alternatively you could not use 1:1 NAT and just setup normal portforwardings.
    Then you just forward the needed ports.

    After you've set up the NAT (be it 1:1 or normal NAT) you need to create firewall rules that allow traffic from the WAN/VIP to your servers.

    If you use 1:1 NAT , a rule will be automatically created that NAT's traffic from the server to the VIP.
    If you use normal NAT and you want traffic from this server to appear from the VIP you would need to create Advanced outbound NAT rule(s).
    In these rules you can specify manually which IP should be NATed to what.

    Yes you still need to setup the firewall rules for where the traffic will be sent to.
    After all the NAT rules only do NAT to traffic that comes on its way.
    You still need to say somewhere that traffic from this server should only leave via the main WAN/OPT



  • GruensFroeschli, that's some great advice!

    I will be installing pfsense tomorrow so would you mind if I got in touch with you in about 24 hours or so?

    Your advice is very clear so fingers crossed I'll be OK!

    Cheers



  • ok iv got everything working except this:

    In the advanced outbound NAT options, it doesn't give me an option to select an indivudal host..

    I only want a single host on my network to use a certain VIP.

    Cheers



  • Of course it does.
    /32 is a single host  ;)

    Rules are processed from top to down.
    You could make a general rule (something like /24) at the bottom, and client specific rules above the general rule.



  • can you tell im a newbie to subnets??

    Gonna have to find a book or something what the /xx means!!



  • @jonnytabpni:

    can you tell im a newbie to subnets??

    Gonna have to find a book or something what the /xx means!!

    Some info I wrote on the m0n0wall doc site.
    http://doc.m0n0.ch/quickstartpc/intro-CIDR.html

    The coming pfSense book goes into more depth on this, and that part of the book will be freely available. Look for that in the next couple months.



  • @GruensFroeschli:

    Yes you still need to setup the firewall rules for where the traffic will be sent to.
    After all the NAT rules only do NAT to traffic that comes on its way.
    You still need to say somewhere that traffic from this server should only leave via the main WAN/OPT

    well it seems i have around the same problem, however when you say set up the firewall rules it sounds so easy yet i for one have no idea how the firewall rules should look like to acomplish this ive tried several settings but for some reason every time i tell it to use any other interface other than WAN for outbound traffic the outbound traffic stops working, it will only let me use the wan for this purpose even tho i specifically tell it to use OPT1



  • Xionicfire i don't think you should mix your problems as describe in http://forum.pfsense.org/index.php/topic,9891.0.html into this topic. One problem at a time :).


Log in to reply