From: li...@mgreg.com
Date: Sat, 16 Oct 2010 20:47:51 -0400
To: support@pfsense.com
Subject: Re: [pfSense Support] Routing Multiple Static IPs
On Oct 16, 2010, at 9:16 AM, Lyle Giese wrote:
li...@mgreg.com wrote:
Hi All,
Having a bit of a problem wrapping my head around a particular network
setup. Basically the scenario is as follows:
-- 1 ISP (Cable Internet Provider)
-- 5 Available static IPs
-- 1 Cable Modem
-- 1 Generic PC with 2 NICs (running pfSense)
-- 1 Gigabit Switch with 20+ PCs connected
The current physical setup is as follows:
ISP (5 STATIC IPs) -- CABLE MODEM -- pfSense Box (2 NICs) -- 32-port Gb
Switch -- 20+ PCs
I need to be able to do each of the following:
1) Connect a router downstream from the pfSense box to use 1 of the 5
available IPs -- so as to segregate networks
2) Route all traffic from 2 of the 5 available static IPs to a single PC
whilst maintaining their internal (10.0.0.x) status.
I'm not really sure what I need to be looking into for this -- VLANs, BGP,
General Multihoming, NAT? Do I need more hardware? Be as descriptive as
you deem necessary.
Currently the entire network is just running off a single static IP
address (i.e. a run-of-the-mill cable internet setup with pfSense box as
the router)
Best,
Michael
Not sure what you are going to use the second box for or why, but I
would consider putting a switch between the cable modem and pfsense and
just use on of the static ip addresses directly and not put that traffic
through the existing pfsense box.
We do that for one of our larger clients and provide views in dns so
that the internal pc's get different ip address for mail or the company
website so that traffic never hits the routable ip addresses. The
webserver and mail servers are dual homed with external and internal ip
addresses.
Lyle
Thanks Lyle,
Basically we want a central point to monitor all incoming/outgoing traffic
regardless of the network. We just figure since we already have the pfSense
box in place we'll passthrough for whatever else we need. Also, we want all
but one of the boxes that get a STATIC IP to still be accessible internally.
For instance, our ISP gives us a pool of addresses from 85.100.100.46 - 50
(not real, but play along). The main pfSense box will have 85.100.100.46
and will also control all traffic. Then we'll have one box that actually
*is* 85.100.100.47 that isn't visible on the local network, then another box
to which we simply pass all traffic that would otherwise route to
85.100.100.48 - 50, but is still accessible via 10.0.0.x on the local network.
Obviously port forwarding is preferable in many cases, but in this particular
case there are several services running on these machines that would require
a great deal of port forwarding. So, instead of doing that, we simply allow
them to have their own external IP.
If there is no good way to do this (even via VLANs) from pfSense then I'll
request an additional switch. But I don't want to suggest the spending of
more money unless 100% necessary.
Thanks again for any help.
Best,
Michael
I think what you're looking for is a combination of Virtual IPs and possibly
1:1 NAT. I haven't actually tried that setup myself so someone with more
experience might need to correct me, but you should be able to setup the public
IPs as Virtual IPs on the WAN interface and then setup 1:1 NAT to then map the
external IP to an internal IP. My understanding of 1:1 NAT at least is that it
is pretty much what you are looking for...it causes all traffic to an IP to be
forwarded to the appropriate internal IP. I'm pretty sure you still have to
add rules to open up the firewall for those IPs too, so (if necessary, since
it's not optimal from a security standpoint) you could just add a rule to pass
any traffic with a destination set to the external Virtual IP.
