Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple IPs

    Scheduled Pinned Locked Moved Routing and Multi WAN
    10 Posts 5 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jonnytabpni
      last edited by

      Hi folks.

      I'm a bit confused. I'm going to roll out pfsense on our network in the next couple of days.

      I have 2 DSL connections. My primary one will be using pppoe (by pfsense) and has 8 static IPs.

      My OPT interface will be using a modem router (as pfsense cant do dual pppoe) and it has a dynamic IP.

      I would like my servers to use the primary interface however how to I assign each of my static IPs to a server (Natted).

      eg. xx.xx.xx.21:80 would go to 192.168.0.10 and xx.xx.xx.22:80 would go to 192.168.0.11 for example.

      I want to use the above in conjunction with some load balancing and policy based routing. Also, if for example, 192.168.0.11 would request something from the internet, what IP does the remote server see?

      Cheers in advance.

      1 Reply Last reply Reply Quote 0
      • J
        jonnytabpni
        last edited by

        OK i did some forum searching and it seems the general method of assinging ips to internal servers is:

        Setup ProxyARP VIP for respective external IP to internal server
        Setup 1:1 NAT
        Setup port forwarding for the service you require.

        Will the above method make all requests FROM my internal servers appear on the new external IP?

        Also, I want to incorporate this with loadbalancing. I want my servers to ONLY use this parimary DSL connection (which provides the static IP) - do I still need to create the firewall rules to only allow the server to go out via the DSL1 gateway or will the proxyarp'ing take care of that?

        Also, what is the 1:1 NAT in the above suitation actually used for? Cheers

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          Yes the requests from the servers will apear as if they originate from the corresponding VIP.
          This is what the 1:1 NAT does.
          1:1 NAT is bidirectional.

          You dont need to setup port forwards on top of 1:1 NAT.
          –> 1:1 NAT NAT's all ports from a VIP to a Server (ports 0 to 65535).

          Alternatively you could not use 1:1 NAT and just setup normal portforwardings.
          Then you just forward the needed ports.

          After you've set up the NAT (be it 1:1 or normal NAT) you need to create firewall rules that allow traffic from the WAN/VIP to your servers.

          If you use 1:1 NAT , a rule will be automatically created that NAT's traffic from the server to the VIP.
          If you use normal NAT and you want traffic from this server to appear from the VIP you would need to create Advanced outbound NAT rule(s).
          In these rules you can specify manually which IP should be NATed to what.

          Yes you still need to setup the firewall rules for where the traffic will be sent to.
          After all the NAT rules only do NAT to traffic that comes on its way.
          You still need to say somewhere that traffic from this server should only leave via the main WAN/OPT

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • J
            jonnytabpni
            last edited by

            GruensFroeschli, that's some great advice!

            I will be installing pfsense tomorrow so would you mind if I got in touch with you in about 24 hours or so?

            Your advice is very clear so fingers crossed I'll be OK!

            Cheers

            1 Reply Last reply Reply Quote 0
            • J
              jonnytabpni
              last edited by

              ok iv got everything working except this:

              In the advanced outbound NAT options, it doesn't give me an option to select an indivudal host..

              I only want a single host on my network to use a certain VIP.

              Cheers

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                Of course it does.
                /32 is a single host  ;)

                Rules are processed from top to down.
                You could make a general rule (something like /24) at the bottom, and client specific rules above the general rule.

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • J
                  jonnytabpni
                  last edited by

                  can you tell im a newbie to subnets??

                  Gonna have to find a book or something what the /xx means!!

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    @jonnytabpni:

                    can you tell im a newbie to subnets??

                    Gonna have to find a book or something what the /xx means!!

                    Some info I wrote on the m0n0wall doc site.
                    http://doc.m0n0.ch/quickstartpc/intro-CIDR.html

                    The coming pfSense book goes into more depth on this, and that part of the book will be freely available. Look for that in the next couple months.

                    1 Reply Last reply Reply Quote 0
                    • X
                      Xionicfire
                      last edited by

                      @GruensFroeschli:

                      Yes you still need to setup the firewall rules for where the traffic will be sent to.
                      After all the NAT rules only do NAT to traffic that comes on its way.
                      You still need to say somewhere that traffic from this server should only leave via the main WAN/OPT

                      well it seems i have around the same problem, however when you say set up the firewall rules it sounds so easy yet i for one have no idea how the firewall rules should look like to acomplish this ive tried several settings but for some reason every time i tell it to use any other interface other than WAN for outbound traffic the outbound traffic stops working, it will only let me use the wan for this purpose even tho i specifically tell it to use OPT1

                      1 Reply Last reply Reply Quote 0
                      • P
                        Perry
                        last edited by

                        Xionicfire i don't think you should mix your problems as describe in http://forum.pfsense.org/index.php/topic,9891.0.html into this topic. One problem at a time :).

                        /Perry
                        doc.pfsense.org

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.