Solved

How to configure pfSense with multiple WAN IP addresses for 1:1 NAT?

Posted on 2014-09-22
2
9,979 Views
Last Modified: 2014-10-01
Hi all,

First time poster here.  

I have an OVH dedicated server with a /28 failover IP block. Ideally I'd like to use a single software firewall to protect all of the VM's running within the virtualization hypervisor running Proxmox 3.2 but I'm unsure as to the networking technicalities in order to make this work.  I feel this may be more of a pfSense thing than an OVH/Proxmox thing.

OVH:
At OVH I have the IP's configured as follows (note all of the MAC addresses are the same):
ovh_config
pfSense:
How would I assign multiple routable public IP addresses to the WAN interface of a pfSense firewall so that it can route packets to the correct IP of the VM?

Something like this, where 167.x.x.x is a routable public IP address:

pfSense VM                        VM IP                         Service
=========================================================================
167.x.x.1          ->          192.168.1.1/24        ->        firewall
167.x.x.2          ->          192.168.2.1/24        ->        cloud
167.x.x.3          ->          192.168.3.1/24        ->        connect

Open in new window


So, for instance, say somebody tries to connect to the web service listening on cloud.company.net.  

1. They input cloud.company.net into their browser

2. The DNS A record for [i]cloud.company.net[/i] is resolved and directs the user to 167.x.x.2

3. The pfSense firewall sees an incoming request on 167.x.x.2 via port 80 or 443 and directs the connection to 192.168.2.1 [i](the IP of the VM with the cloud service)[/i].

4. The pfSense firewall sends the response back to the user [b]from[/b] the correct IP, in this case 167.x.x.2.


I understand how to setup a single publicly routable IP address on a pfSense firewall VM and have it redirect traffic to internal VM's but this question is explicitly about having the pfSense VM configured with multiple publicly routable IP addresses.

Let me know if you need any clarification, I'm not sure if I did a stellar job in explaining this.
0
Comment
Question by:Jon Copeland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
DigitalCrisis earned 500 total points
ID: 40353856
1.) You would set up your VLANs for the LAN side. You do not want to have an IP addressed assigned to the actual LAN card, but just strictly the VLANs.

VLAN10 - 192.168.1.1
VLAN20 - 192.168.2.1
VLAN30 - 192.168.3.1

2.) Create Firewall rules under the Rules sections of the Firewall tab, allowing any to any under each VLAN10-30 or to whatever security settings you need. (Hint: Using Status - System Logs - Firewall is your best friend for diagnosing firewall issues)

3.) Keep your public IP address for your WAN side of the firewall, 167.x.x.1 but add 167.x.x.2 and 167.x.x.3 to the virtual IPs (IP Alias)

4.)  Create a 1:1 NAT under the FIrewall/NAT tab, and enter the external IP address, then the destination will be the internal IP address.

5.) Make sure to create Firewall rules to allow your inbound traffic, (Set Destination 167.x.x.2 allowing HTTP on firewall for destination IP)

I also found this video to pretty well explain it as well:

https://www.youtube.com/watch?v=zrBr0N0WrTY
0
 

Author Comment

by:Jon Copeland
ID: 40355066
I'm updating this thread as I was able to resolve the problem after futzing around with documentation and lots of Googling so this might be useful for anybody doing something similar in the future.  +1 for that video link DigitalCrisis, I used it as a starting point when I found previously.

Here's what I did:

OVH:
Generated a new OVH virtual MAC address in the OVH Manager and assigned the same virtual MAC to all of the public IP's.

pfSense:
Interfaces - WAN: Assigned virtual MAC above.
Interfaces - WAN: Configured IPv4 address with public IP.
Firewall - Virtual IP's: Added entries for all of the public IP's:
Type: IP Alias
Interface: WAN
IP Address: 167.x.x.x/32
Firewall - Virtual IP's: Added entries for all of the local LAN IP's:
Type: IP Alias
Interface: LAN
IP Address: 192.168.x.x/24
Firewall - NAT 1:1: Added entries for all of the 1:1 NAT mappings (each public IP points to a different internal IP):
Interface: WAN
External subnet IP: 167.x.x.x
Internal IP: Type Single Host
Address: 192.168.x.x
Firewall - Rules: Added general rules for the services listening on the VM's with the local LAN IP's, eg:
Interface: WAN
TCP/IP: IPv4
Protocol: TCP
Type: Single host or alias
Destination: 192.168.x.x
Destination port range: From HTTP to HTTP
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Hyper-V server/storage 15 104
Time Sync Best Practice 13 74
Set up Localized vDisks in PVS Servers 13 53
user defined, environmental. local, global variables 4 26
When we have a dead host and we lose all connections to the ESXi, and we need to find a way to move all VMs from that dead ESXi host.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question