Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Same WAN port, multiple IPs?

    Scheduled Pinned Locked Moved NAT
    19 Posts 5 Posters 5.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      aaronouthier
      last edited by

      Hello, I have an APU unit with multiple LAN ports. Previously, I was just using the main one with a switch. I'd like to tinker with hosting some personal web sites on a dedicated Server that I have sitting around that somebody gave me. My plan is to connect the Server to the OPT1 port and the rest of my network to the LAN port on my APU.

      This is all trivial for me to do, but I wanted to give some background info on my Setup.

      Anywho, I'm going to switch my Internet service to Static IP with 5 IP addresses. 1 for my main LAN, 1 for direct access to the Server, 1 for my DRAC (just in case). 2  unused at the moment. I still don't know how I'm going to setup the DRAC in the network - I don't need (or WANT) to expose all TCP ports from WAN to it. I'll cross that bridge later.

      What I would like to know how to do is setup my APU running pfSense to directly expose my server on OPT1 to the Internet, I'll setup the software firewall on said server to keep out the baddies. I don't want NAT on this connection, if I can help it. I also want to have my regular LAN on the LAN port as normal, and somehow have my Dell Remote Access Controller (D.R.A.C.) in there somehow, protected and secure on a different WAN IP address. I'm open to ideas and suggestions on this last point.

      I would search the forums for these things, but searches require precise keywords, and I only have vague concepts.

      I'm pretty savvy when it comes to this stuff, but I'm in a bit over my head here.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I don't want NAT on this connection, if I can help it.

        Why not?

        1 Reply Last reply Reply Quote 0
        • A
          aaronouthier
          last edited by

          @KOM:

          I don't want NAT on this connection, if I can help it.

          Why not?

          1. I'm only going to have 1 machine on this interface.

          2. I want to have the server directly exposed to the Internet, no internal LAN ip addresses on this interface.

          3. It's overkill to have 1 system through a NAT firewall and then forward > 15 ports to the one system. I might as well setup a software firewall on the server.

          4. It's my box, and I SAID SO!!  :P  ;)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Unless you can get a routed subnet, NAT is better than any other option. 1:1 is OK but unnecessary for a web server. Just port forward 80 & 443 and call it good.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              If you want your host directly connected to the internet, and you do not have a routed network.  Then either put it in front of pfsense with a switch between your modem and pfsense where pfsense gets one IP and the devices you want on public are on the switch.  Or get a switch and another interface for pfsense to be wan on different IP that you can bridge to a lan interface.  This would let you firewall traffic.

              "hosting some personal web sites"

              I have a hard time figuring out how you could need >15 ports to a web server??  Simple port forward wold be better, you can add your IPs to vips on the pfsense wan.  And could do 1:1 if you really had a log of ports you wanted exposed.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • A
                aaronouthier
                last edited by

                Ok, perhaps I should elaborate a bit more on my goals and intentions, if only for clarity's sake.

                First, though, @johnpoz: Thank you!! I'm not sure why I didn't think of adding a switch in front.

                @All. I am wanting to deploy Odin's plesk panel on my server, in a VirtualBox VM. It will start out as a Web Server for myself and a few friends. If I can do that well, and my friends are impressed enough to want to continue long-term (and pay for the service during that term), then I may branch out to more people and get a bit more serious about it. Right now, I'm just baiting the hook, to see what fish are out there, so to speak.

                As for ports needed, I haven't counted exactly, but a rough estimate puts it at around a dozen ports: web, smtp, imap, pop3, all in regular and ssl, plus ssh, plesk management ports 8443 & 8447. That's just on one VM. The actual, metal server will be hosting Emby server, OwnCloud server, Sickrage, Sabnzbd, Transmission, perhaps 1 or 2 others, not sure yet. I am also getting a feel for Odin Business Automation Standard. I'm not ready to deploy OBAS yet, but I want to get familiar with it, before I need it. That is running in another separate VM. The 3 Machines mentioned should ideally be directly exposed to the 'Net.

                Then, you have the DRAC, which does need to be firewalled separately. ie, via pfsense. Then, there's the Regular LAN for everything else.

                Besides having the physical and 2 virtual servers all needing ports 80 and 443 available from the outside, there is a matter of needing 2 different DNS servers in order to host DNS publicly. Does that make more sense?

                P.S.: FWIW, I am well acquainted with Plesk Panel already, at least for deploying straight web sites. I maintain the Plesk Panel at work for the Boss' advertising of his repair business. He has no plans to host sites for anyone else, so I'm not competing in any way. I've discussed my intentions with him, and he is fine with it, in case anyone was concerned.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "2 different DNS servers in order to host DNS publicly"

                  off the same network connection - POINTLESS and defeats the whole purpose of more than 1 dns server.

                  Your handful of ports can beforwarded in like 30 seconds..  You would rather directly expose everything on the box, and then open up ports on the hosts firewall <rolleyes>Just out of curiosity, what is your internet connection.. Your UP pipe is what is going to count if you want people serving up stuff from it..  100mbps?

                  To just be blunt about it, trying to serve up public services off your home connection, be it business class or not is not really a good idea..  So what you going for denial of services attacks when one of your friends puts up something someone doesn't like..  And now since your dns is off the same connection all your connections are down for sure since nobody can look up anything.

                  To be honest if you want to play with being the webhosting business - you would be much better of just getting a server in a real DC and letting your friends use that..

                  So you going to host email off them, do you have the PTRs of your IPs changed - do you have control of them with your type of connection?  Hosting services to the public takes a bit more than just getting a hand full of IPs from your isp ;)

                  Good luck though…</rolleyes>

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • A
                    aaronouthier
                    last edited by

                    JohnPoz,
                    My Internet connection is Verizon FiOS with an up/down of 50/50. I may increase that when I switch to static IPs.

                    As for "one of [my] friends puts up something someone doesn't like". I said friends, but they all have small businesses. For the moment, it'll just be advertising various small businesses. No blogs, etc.

                    I'm mostly doing this to learn how to do this kind of stuff. I'm ever the curious type.

                    As for going through the router, I have no problem doing this, using the router as a firewall, but I still need to have a public IP for my server and for the 2 VMs. I just don't know how to configure the router to do this, which is my whole reason for starting this thread.

                    Even if this whole experiment ends up a failure in the end, I'll still have valuable experience. I might have a hole in my wallet also, but I'd also have one if I took classes on this stuff. I have some much more fun learning hands-on.

                    1 Reply Last reply Reply Quote 0
                    • mudmanc4M
                      mudmanc4
                      last edited by

                      Simplify things for yourself here.

                      Just setup virtual IP's (the static ones you'll get) {IP Alias} then 1:1 NAT them to the LAN / OPT subnet, leave each internal machine set as DHCP, and assign them static reservations in PFsense via MAC address. .

                      This way each port to each MAC/ IP reservation can be controlled through the ruleset. So you won't be exposing anything you do not want. Including DRAC.

                      If you want to take it a step further, get an account at DNSmadeeasy. Keep the DNS on external networks only here. Even if you have just one TLD, you can use subdomains as well as RFC2136 dynamic DNS through the external DNS.

                      EDIT:
                      Also, turn off DHCP on the ISP router after you've gotten the static IP set. And let PFsense handle this. The IP block will all be pointing towards the modem, which can be assigned as stated above, as alias', and use the gateway they provide with the block for all static IP's

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Host your DNS somewhere else. he.net comes to mind.

                        I would rather put a bunch of port forwards/rules in something like pfSense than maintain local "software" firewalls on a bunch of servers. Maybe that's just me.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • A
                          aaronouthier
                          last edited by

                          Thanks, I'll look into this. Fwiw, I didn't get the ISPs router. I have straight Ethernet coming into the house, which is convenient for hooking up my APU box.

                          1 Reply Last reply Reply Quote 0
                          • mudmanc4M
                            mudmanc4
                            last edited by

                            @aaronouthier:

                            Thanks, I'll look into this. Fwiw, I didn't get the ISPs router. I have straight Ethernet coming into the house, which is convenient for hooking up my APU box.

                            So you have a fiber connection, even better. (I should have seen this you clearly pointed out APU)
                            What is the issue with using a 1:1 NAT ?

                            1 Reply Last reply Reply Quote 0
                            • A
                              aaronouthier
                              last edited by

                              I would also rather use centralized management for the firewall setup, eg. Using pfSense would be ideal. Earlier posts lead me to believe that such was not feasible.

                              As for DNS, my domain registrar already provides DNS, including DynDNS. This will work fine at first, during the early stages, when there are not many Domains. It's when there are more domains being added daily, assuming I get that far, that manually matching up everything by hand will become impossible.

                              Good advice, all around. Thanks everyone!

                              1 Reply Last reply Reply Quote 0
                              • A
                                aaronouthier
                                last edited by

                                Ok, everyone keeps mentioning 1:1 NAT. My problem with is is, eh, I don't know what that is or how to use it. I'm gonna look that up now in the docs and/or wiki.

                                1 Reply Last reply Reply Quote 0
                                • mudmanc4M
                                  mudmanc4
                                  last edited by

                                  @aaronouthier:

                                  Ok, everyone keeps mentioning 1:1 NAT. My problem with is is, eh, I don't know what that is or how to use it. I'm gonna look that up now in the docs and/or wiki.

                                  1:1 allows the segregation of port mapping on one interface to the specified IP. (Not the best explanation)

                                  example:

                                  External IP 172.184.25.2 using port 80
                                  External IP 172.184.25.3 using port 80 and port 443

                                  and so on.

                                  1 Reply Last reply Reply Quote 0
                                  • KOMK
                                    KOM
                                    last edited by

                                    From the Definitive pfSense Guide (available to Gold Subscribers)

                                    1:1 (pronounced one to one) NAT maps one public IPv4 address to one private IPv4 address. All traffic from that
                                    private IPv4 address to the Internet will be mapped to the public IPv4 address defined in the 1:1 NAT mapping,
                                    overriding your Outbound NAT configuration. All traffic initiated on the Internet destined for the specified public IPv4
                                    address will be translated to the private IPv4, then evaluated by your WAN firewall ruleset. If the traffic is permitted
                                    by your firewall rules to a target of the private IPv4 address, it will be passed to the internal host.

                                    1 Reply Last reply Reply Quote 0
                                    • A
                                      aaronouthier
                                      last edited by

                                      That makes perfect sense! One to one, instead of one to many. Thanks Mr. KOM!

                                      1 Reply Last reply Reply Quote 0
                                      • A
                                        aaronouthier
                                        last edited by

                                        Ok. So, I finally made the switch to 5 static IPs. I've setup 1:1 for the 2nd of 5 IP addresses, and configured NAT rules, etc, but the firewall log shows no traffic going to it. I suspect this is because the WAN interface only knows about 1st address. If this is the case, then how do I tell my pfSense box that it has 5 IPs on the WAN, not just 1?

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          aaronouthier
                                          last edited by

                                          Oops,
                                          I just reread the previous posts. I see now the solution is with Virtual IPs. Implementing that now.

                                          Thanks again for everyone's help!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.