How do they assign a public ip directly to the servers behind pfsense?



  • Hello,

    I am familiar with Virtual IPs and 1:1 NAT in pfsense and have used it before to assign one public ip to one internal machine.

    But I am trying to understand, how do they directly assign a public ip address directly to a host which is behind a firewall (like pfsense) without any kind of natting. Do they do routing of some kind?

    I would like to know how would you do with using pfsense as your main ISP router / firewall. Do you need any support from the ISP ?

    Thanks.


  • LAYER 8 Netgate

    Get a small WAN subnet allocated like a /29 or /30 then another, presumably larger subnet routed to the WAN address. You would then assign that subnet to a LAN just like you would RFC1918 but you would disable NAT for it. Yes, your ISP needs to route the subnet to you.



  • Hello,

    I have done similar as following :

    My ISP provides me multiple Dynamic IP-adresses,
    and i use a Bridge (i called mine DMZ_bridge) between the WAN interface, and a free interface (i called mine DMZ) of my pFsense box.
    The WAN interface use DHCP as IP4v connection type, the DMZ interface use "none" as connection type.
    Then enabled this Bridge as interface with "none" as connection type.
    Under System -> Advanced -> System Tunables i changed the values off 2 lines :

    net.link.bridge.pfil_bridge value 1 (default value 0)
    net.link.bridge.pfil_member  values 0 (default value 1)

    Then i added a passtrough rule for the DMZ_Bridge and DMZ interface.
    A device connected to this DMZ interface, gets a public dynamic public ip-adress.
    The DMZ_Bridge interface gets a Dynamic public (does not show up by the interface at the dashboard),
    also the DMZ interface ip-adress does not show up by the list of interfaces at the dashboard.
    In the firewall logs the Bridge and DMZ ip-adresses shows up when there's traffic running, and if the DMZ interface is used.

    Greetz
    DeLorean



  • @Derelict:

    Get a small WAN subnet allocated like a /29 or /30 then another, presumably larger subnet routed to the WAN address. You would then assign that subnet to a LAN just like you would RFC1918 but you would disable NAT for it. Yes, your ISP needs to route the subnet to you.

    I am in a similar situation of assigning public IPs directly to servers located behind pfsense (no 1:1 NAT as the OP stated).

    I plan to rent /25 or /24 IP block from the data center. Out of those rented IP block I only want certain number of IPs to be firewalled by PFSense and the rest of the IPs will be used by other nodes that will be connected directly to the L3 core switch (by-passing PFSense altogether).

    Is it possible to configure PFSense in the following illustration so only selected IPs can be protected by PFSense? In this scenario the purpose of PFSense appliance is only to act as a firewall and protect the servers behind it (again servers with public IPs assigned to them). No other functionalities required such as VPN, etc.

    Internet (Data Center provided uplink connection) -> L3 Core Switch -> PFSense Appliance -> Access Switch -> Servers with multiple public IPs assigned to them


  • LAYER 8 Netgate

    If your provider is routing the /24 to your L3 switch you can subnet it however you like there and route just a part of the /24 to pfSense.

    Then use that subnet on a LAN/OPT interface and be sure NAT is disabled.



  • @Derelict:

    If your provider is routing the /24 to your L3 switch you can subnet it however you like there and route just a part of the /24 to pfSense.

    Then use that subnet on a LAN/OPT interface and be sure NAT is disabled.

    Thanks! What subnet and IP should be assigned to the WAN interface on PFSense?


  • LAYER 8 Netgate

    Either something off a subnet of the /24 or something off a different subnet. It really doesn't matter - you can do what you want. Without more knowledge of what you're trying to do and what your WAN interface scheme is and what is routed to you it would just be guessing.


Log in to reply