Multiple WAN IPs to DMZ and NATing



  • I'll start out by saying I've used pfsense for my home network for a while now and has worked great.  We recently moved to a new office at work and decided to drop Cisco PIX hardware for pfsense.  I was all thrilled and thinking I could get things setup in no time… Until the multiple IP addresses and doing DMZ and such.

    Here's my situation.  We have a public IP block of 207.x.x.160/28 (.161-.174).  First thing I want to have both NAT between a certain public IP to a certain private IP on LAN.  The other thing is a--not sure of correct term--pass through where I could have 207.x.x.164 go to the OPT1 interface to a computer with the ip of 207.x.x.164 with filtering and such.  This was "simple" to setup (for me at least) on the Cisco PIX but can't figure it out on pfsense.  I have tried searching here and the wiki since I know someone has had this issue before.  Either I'm not searching for the right terms or it's staring me in the face and I just don't see it.  If that's all the info you need and can point me in some direction you can probably skip the rest of this post.

    Here is how I have things setup currently.  We have a Cisco 2694 that takes our T1's, multilinks them, and has an ethernet interface with our ip range all ready to go.  Here's the info if it's of any use:

    interface FastEthernet0/0
     ip address 207.x.x.161 255.255.255.240
     duplex auto
     speed auto
     no cdp enable
    

    Right now I have .161 as router, .162 is firewall (and the IP that is NATed for LAN clients), and an asterisk server at .164.  The way that asterisk server is setup right now is I created an OPT1 interface that bridges WAN with gateway empty.  On the asterisk server itself I give it the ip address of .164, netmask 255.255.255.240 and gateway .162 (yes, pfsense's IP).  I had to set an allow rule for the WAN interface where the source ip is .164 to allow all traffic through.  It works, but I'm sure it's not correct.

    Today I needed to setup a NAT so 207.x.x.165:443 (or whatever) points to (for example) 10.1.1.20:443.  I've tried various things to get this to work without any luck.  I see mention of Virtual IPs and this is where I think I'm getting confused at:

    What is a Virtual IP?

    From what I could tell from searching, I would define all my external IPs as virtual IPs.  Do I create them as Proxy ARP, CARP, or Other?  I couldn't find any resources that definitively say what to use in this situation.  I don't need failover, which I think eliminates CARP.  I looked up Proxy ARP and what that does and it looks like what I would need.  But then there's "Other"?

    So I would first delete the hackery I'm doing for the asterisk box on .164 and setup OPT1 without bridging and just a static IP of 207.x.x.163/28.  I would then create virtual IPs from 207.x.x.165 (first IP not currently used by router, pfsense, or an actual machine) through 207.x.x.174 as type Proxy ARP.  Would I then just setup the asterisk box, which is plugged into a switch hooked into OPT1, as 207.x.x.164 with the gateway set to 207.x.x.163 (the IP of the OPT1 interface)?  And then do the standard rules in OPT1 to allow traffic from 207.x.x.164:* to any and on WAN from any to 207.x.x.164 (I don't want to block anything on asterisk).  Then for NAT'ing I would go setup a nat, choose my virtual IP and nat it as usual choosing the proper virtual IP?

    Again I apologize as I know variations on this has been asked, but I can't seem to find any thing that says specifically what to do.  I would just outright try what I suggested in previous paragraph but I'm not at work and don't want to mess with the phone system remotely to find out it no longer works.



  • OK, so I tried it and doesn't work.  I created OPT1 as 207.x.x.163/28, set asterisk box to 207.x.x.164/28 with 207.x.x.163 as gateway.  Created a rule in OPT1 interface to allow all traffic from 207.x.x.164 and created a rule in WAN interface to allow all traffic to 207.x.x.164.  I set logging on and the rule in OPT1 seems to be working fine.  But it appears that nothing is even hitting the WAN port.  I have it set so even the default deny rules will show up in logs and I'm not even seeing those.  It's like it hits the 2691 router and stops there.



  • (sorry for the multiple posts, kinda trying to hurry and fix this)

    So thinking I may still need to set a virtual IP for that computer I went ahead and created it, using proxy arp.  I look in the log and see this:

    kernel: arp: 207.x.x.164 is on bge0 but got reply from 00:14:22:b0:65:31 on fxp1

    bge0 is WAN, fxp1 is OPT1.  Do I need to make the netmask for WAN to /30 (or whatever I can do so 161 and 162 are in the same subnet?



  • OK, since phones couldn't be down any more I changed things back to how they were.  OPT1 bridges WAN with asterisk set to use the firewall as the default gateway so it can be filtered if needed.  I don't know if this will work when I add more servers but I guess I'll be on here again when that comes.

    I was able to NAT a public ip I created as a virtual proxy-arp IP and have it forward to an internal machine correctly.  At least that part I'm sure is correct, it's the pass through part I'm still not sure if I'm doing right.




Log in to reply