Same WAN port, multiple IPs?



  • Hello, I have an APU unit with multiple LAN ports. Previously, I was just using the main one with a switch. I'd like to tinker with hosting some personal web sites on a dedicated Server that I have sitting around that somebody gave me. My plan is to connect the Server to the OPT1 port and the rest of my network to the LAN port on my APU.

    This is all trivial for me to do, but I wanted to give some background info on my Setup.

    Anywho, I'm going to switch my Internet service to Static IP with 5 IP addresses. 1 for my main LAN, 1 for direct access to the Server, 1 for my DRAC (just in case). 2  unused at the moment. I still don't know how I'm going to setup the DRAC in the network - I don't need (or WANT) to expose all TCP ports from WAN to it. I'll cross that bridge later.

    What I would like to know how to do is setup my APU running pfSense to directly expose my server on OPT1 to the Internet, I'll setup the software firewall on said server to keep out the baddies. I don't want NAT on this connection, if I can help it. I also want to have my regular LAN on the LAN port as normal, and somehow have my Dell Remote Access Controller (D.R.A.C.) in there somehow, protected and secure on a different WAN IP address. I'm open to ideas and suggestions on this last point.

    I would search the forums for these things, but searches require precise keywords, and I only have vague concepts.

    I'm pretty savvy when it comes to this stuff, but I'm in a bit over my head here.



  • I don't want NAT on this connection, if I can help it.

    Why not?



  • @KOM:

    I don't want NAT on this connection, if I can help it.

    Why not?

    1. I'm only going to have 1 machine on this interface.

    2. I want to have the server directly exposed to the Internet, no internal LAN ip addresses on this interface.

    3. It's overkill to have 1 system through a NAT firewall and then forward > 15 ports to the one system. I might as well setup a software firewall on the server.

    4. It's my box, and I SAID SO!!  :P  ;)


  • Netgate

    Unless you can get a routed subnet, NAT is better than any other option. 1:1 is OK but unnecessary for a web server. Just port forward 80 & 443 and call it good.


  • Rebel Alliance Global Moderator

    If you want your host directly connected to the internet, and you do not have a routed network.  Then either put it in front of pfsense with a switch between your modem and pfsense where pfsense gets one IP and the devices you want on public are on the switch.  Or get a switch and another interface for pfsense to be wan on different IP that you can bridge to a lan interface.  This would let you firewall traffic.

    "hosting some personal web sites"

    I have a hard time figuring out how you could need >15 ports to a web server??  Simple port forward wold be better, you can add your IPs to vips on the pfsense wan.  And could do 1:1 if you really had a log of ports you wanted exposed.



  • Ok, perhaps I should elaborate a bit more on my goals and intentions, if only for clarity's sake.

    First, though, @johnpoz: Thank you!! I'm not sure why I didn't think of adding a switch in front.

    @All. I am wanting to deploy Odin's plesk panel on my server, in a VirtualBox VM. It will start out as a Web Server for myself and a few friends. If I can do that well, and my friends are impressed enough to want to continue long-term (and pay for the service during that term), then I may branch out to more people and get a bit more serious about it. Right now, I'm just baiting the hook, to see what fish are out there, so to speak.

    As for ports needed, I haven't counted exactly, but a rough estimate puts it at around a dozen ports: web, smtp, imap, pop3, all in regular and ssl, plus ssh, plesk management ports 8443 & 8447. That's just on one VM. The actual, metal server will be hosting Emby server, OwnCloud server, Sickrage, Sabnzbd, Transmission, perhaps 1 or 2 others, not sure yet. I am also getting a feel for Odin Business Automation Standard. I'm not ready to deploy OBAS yet, but I want to get familiar with it, before I need it. That is running in another separate VM. The 3 Machines mentioned should ideally be directly exposed to the 'Net.

    Then, you have the DRAC, which does need to be firewalled separately. ie, via pfsense. Then, there's the Regular LAN for everything else.

    Besides having the physical and 2 virtual servers all needing ports 80 and 443 available from the outside, there is a matter of needing 2 different DNS servers in order to host DNS publicly. Does that make more sense?

    P.S.: FWIW, I am well acquainted with Plesk Panel already, at least for deploying straight web sites. I maintain the Plesk Panel at work for the Boss' advertising of his repair business. He has no plans to host sites for anyone else, so I'm not competing in any way. I've discussed my intentions with him, and he is fine with it, in case anyone was concerned.


  • Rebel Alliance Global Moderator

    "2 different DNS servers in order to host DNS publicly"

    off the same network connection - POINTLESS and defeats the whole purpose of more than 1 dns server.

    Your handful of ports can beforwarded in like 30 seconds..  You would rather directly expose everything on the box, and then open up ports on the hosts firewall <rolleyes>Just out of curiosity, what is your internet connection.. Your UP pipe is what is going to count if you want people serving up stuff from it..  100mbps?

    To just be blunt about it, trying to serve up public services off your home connection, be it business class or not is not really a good idea..  So what you going for denial of services attacks when one of your friends puts up something someone doesn't like..  And now since your dns is off the same connection all your connections are down for sure since nobody can look up anything.

    To be honest if you want to play with being the webhosting business - you would be much better of just getting a server in a real DC and letting your friends use that..

    So you going to host email off them, do you have the PTRs of your IPs changed - do you have control of them with your type of connection?  Hosting services to the public takes a bit more than just getting a hand full of IPs from your isp ;)

    Good luck though…</rolleyes>



  • JohnPoz,
    My Internet connection is Verizon FiOS with an up/down of 50/50. I may increase that when I switch to static IPs.

    As for "one of [my] friends puts up something someone doesn't like". I said friends, but they all have small businesses. For the moment, it'll just be advertising various small businesses. No blogs, etc.

    I'm mostly doing this to learn how to do this kind of stuff. I'm ever the curious type.

    As for going through the router, I have no problem doing this, using the router as a firewall, but I still need to have a public IP for my server and for the 2 VMs. I just don't know how to configure the router to do this, which is my whole reason for starting this thread.

    Even if this whole experiment ends up a failure in the end, I'll still have valuable experience. I might have a hole in my wallet also, but I'd also have one if I took classes on this stuff. I have some much more fun learning hands-on.



  • Simplify things for yourself here.

    Just setup virtual IP's (the static ones you'll get) {IP Alias} then 1:1 NAT them to the LAN / OPT subnet, leave each internal machine set as DHCP, and assign them static reservations in PFsense via MAC address. .

    This way each port to each MAC/ IP reservation can be controlled through the ruleset. So you won't be exposing anything you do not want. Including DRAC.

    If you want to take it a step further, get an account at DNSmadeeasy. Keep the DNS on external networks only here. Even if you have just one TLD, you can use subdomains as well as RFC2136 dynamic DNS through the external DNS.

    EDIT:
    Also, turn off DHCP on the ISP router after you've gotten the static IP set. And let PFsense handle this. The IP block will all be pointing towards the modem, which can be assigned as stated above, as alias', and use the gateway they provide with the block for all static IP's


  • Netgate

    Host your DNS somewhere else. he.net comes to mind.

    I would rather put a bunch of port forwards/rules in something like pfSense than maintain local "software" firewalls on a bunch of servers. Maybe that's just me.



  • Thanks, I'll look into this. Fwiw, I didn't get the ISPs router. I have straight Ethernet coming into the house, which is convenient for hooking up my APU box.



  • @aaronouthier:

    Thanks, I'll look into this. Fwiw, I didn't get the ISPs router. I have straight Ethernet coming into the house, which is convenient for hooking up my APU box.

    So you have a fiber connection, even better. (I should have seen this you clearly pointed out APU)
    What is the issue with using a 1:1 NAT ?



  • I would also rather use centralized management for the firewall setup, eg. Using pfSense would be ideal. Earlier posts lead me to believe that such was not feasible.

    As for DNS, my domain registrar already provides DNS, including DynDNS. This will work fine at first, during the early stages, when there are not many Domains. It's when there are more domains being added daily, assuming I get that far, that manually matching up everything by hand will become impossible.

    Good advice, all around. Thanks everyone!



  • Ok, everyone keeps mentioning 1:1 NAT. My problem with is is, eh, I don't know what that is or how to use it. I'm gonna look that up now in the docs and/or wiki.



  • @aaronouthier:

    Ok, everyone keeps mentioning 1:1 NAT. My problem with is is, eh, I don't know what that is or how to use it. I'm gonna look that up now in the docs and/or wiki.

    1:1 allows the segregation of port mapping on one interface to the specified IP. (Not the best explanation)

    example:

    External IP 172.184.25.2 using port 80
    External IP 172.184.25.3 using port 80 and port 443

    and so on.



  • From the Definitive pfSense Guide (available to Gold Subscribers)

    1:1 (pronounced one to one) NAT maps one public IPv4 address to one private IPv4 address. All traffic from that
    private IPv4 address to the Internet will be mapped to the public IPv4 address defined in the 1:1 NAT mapping,
    overriding your Outbound NAT configuration. All traffic initiated on the Internet destined for the specified public IPv4
    address will be translated to the private IPv4, then evaluated by your WAN firewall ruleset. If the traffic is permitted
    by your firewall rules to a target of the private IPv4 address, it will be passed to the internal host.



  • That makes perfect sense! One to one, instead of one to many. Thanks Mr. KOM!



  • Ok. So, I finally made the switch to 5 static IPs. I've setup 1:1 for the 2nd of 5 IP addresses, and configured NAT rules, etc, but the firewall log shows no traffic going to it. I suspect this is because the WAN interface only knows about 1st address. If this is the case, then how do I tell my pfSense box that it has 5 IPs on the WAN, not just 1?



  • Oops,
    I just reread the previous posts. I see now the solution is with Virtual IPs. Implementing that now.

    Thanks again for everyone's help!