Solved

How to configure pfSense with multiple WAN IP addresses for 1:1 NAT?

Posted on 2014-09-22
2
8,702 Views
Last Modified: 2014-10-01
Hi all,

First time poster here.  

I have an OVH dedicated server with a /28 failover IP block. Ideally I'd like to use a single software firewall to protect all of the VM's running within the virtualization hypervisor running Proxmox 3.2 but I'm unsure as to the networking technicalities in order to make this work.  I feel this may be more of a pfSense thing than an OVH/Proxmox thing.

OVH:
At OVH I have the IP's configured as follows (note all of the MAC addresses are the same):
ovh_config
pfSense:
How would I assign multiple routable public IP addresses to the WAN interface of a pfSense firewall so that it can route packets to the correct IP of the VM?

Something like this, where 167.x.x.x is a routable public IP address:

pfSense VM                        VM IP                         Service
=========================================================================
167.x.x.1          ->          192.168.1.1/24        ->        firewall
167.x.x.2          ->          192.168.2.1/24        ->        cloud
167.x.x.3          ->          192.168.3.1/24        ->        connect

Open in new window


So, for instance, say somebody tries to connect to the web service listening on cloud.company.net.  

1. They input cloud.company.net into their browser

2. The DNS A record for [i]cloud.company.net[/i] is resolved and directs the user to 167.x.x.2

3. The pfSense firewall sees an incoming request on 167.x.x.2 via port 80 or 443 and directs the connection to 192.168.2.1 [i](the IP of the VM with the cloud service)[/i].

4. The pfSense firewall sends the response back to the user [b]from[/b] the correct IP, in this case 167.x.x.2.


I understand how to setup a single publicly routable IP address on a pfSense firewall VM and have it redirect traffic to internal VM's but this question is explicitly about having the pfSense VM configured with multiple publicly routable IP addresses.

Let me know if you need any clarification, I'm not sure if I did a stellar job in explaining this.
0
Comment
Question by:Jon Copeland
2 Comments
 
LVL 1

Accepted Solution

by:
DigitalCrisis earned 500 total points
ID: 40353856
1.) You would set up your VLANs for the LAN side. You do not want to have an IP addressed assigned to the actual LAN card, but just strictly the VLANs.

VLAN10 - 192.168.1.1
VLAN20 - 192.168.2.1
VLAN30 - 192.168.3.1

2.) Create Firewall rules under the Rules sections of the Firewall tab, allowing any to any under each VLAN10-30 or to whatever security settings you need. (Hint: Using Status - System Logs - Firewall is your best friend for diagnosing firewall issues)

3.) Keep your public IP address for your WAN side of the firewall, 167.x.x.1 but add 167.x.x.2 and 167.x.x.3 to the virtual IPs (IP Alias)

4.)  Create a 1:1 NAT under the FIrewall/NAT tab, and enter the external IP address, then the destination will be the internal IP address.

5.) Make sure to create Firewall rules to allow your inbound traffic, (Set Destination 167.x.x.2 allowing HTTP on firewall for destination IP)

I also found this video to pretty well explain it as well:

https://www.youtube.com/watch?v=zrBr0N0WrTY
0
 

Author Comment

by:Jon Copeland
ID: 40355066
I'm updating this thread as I was able to resolve the problem after futzing around with documentation and lots of Googling so this might be useful for anybody doing something similar in the future.  +1 for that video link DigitalCrisis, I used it as a starting point when I found previously.

Here's what I did:

OVH:
Generated a new OVH virtual MAC address in the OVH Manager and assigned the same virtual MAC to all of the public IP's.

pfSense:
Interfaces - WAN: Assigned virtual MAC above.
Interfaces - WAN: Configured IPv4 address with public IP.
Firewall - Virtual IP's: Added entries for all of the public IP's:
Type: IP Alias
Interface: WAN
IP Address: 167.x.x.x/32
Firewall - Virtual IP's: Added entries for all of the local LAN IP's:
Type: IP Alias
Interface: LAN
IP Address: 192.168.x.x/24
Firewall - NAT 1:1: Added entries for all of the 1:1 NAT mappings (each public IP points to a different internal IP):
Interface: WAN
External subnet IP: 167.x.x.x
Internal IP: Type Single Host
Address: 192.168.x.x
Firewall - Rules: Added general rules for the services listening on the VM's with the local LAN IP's, eg:
Interface: WAN
TCP/IP: IPv4
Protocol: TCP
Type: Single host or alias
Destination: 192.168.x.x
Destination port range: From HTTP to HTTP
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Create your own, high-performance VM backup appliance by installing NAKIVO Backup & Replication directly onto a Synology NAS!
Is your company's data protection keeping pace with virtualization? Here are 7 dynamic ways to adapt to rapid breakthroughs in technology.
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now