Solved

How to configure pfSense with multiple WAN IP addresses for 1:1 NAT?

Posted on 2014-09-22
2
8,905 Views
Last Modified: 2014-10-01
Hi all,

First time poster here.  

I have an OVH dedicated server with a /28 failover IP block. Ideally I'd like to use a single software firewall to protect all of the VM's running within the virtualization hypervisor running Proxmox 3.2 but I'm unsure as to the networking technicalities in order to make this work.  I feel this may be more of a pfSense thing than an OVH/Proxmox thing.

OVH:
At OVH I have the IP's configured as follows (note all of the MAC addresses are the same):
ovh_config
pfSense:
How would I assign multiple routable public IP addresses to the WAN interface of a pfSense firewall so that it can route packets to the correct IP of the VM?

Something like this, where 167.x.x.x is a routable public IP address:

pfSense VM                        VM IP                         Service
=========================================================================
167.x.x.1          ->          192.168.1.1/24        ->        firewall
167.x.x.2          ->          192.168.2.1/24        ->        cloud
167.x.x.3          ->          192.168.3.1/24        ->        connect

Open in new window


So, for instance, say somebody tries to connect to the web service listening on cloud.company.net.  

1. They input cloud.company.net into their browser

2. The DNS A record for [i]cloud.company.net[/i] is resolved and directs the user to 167.x.x.2

3. The pfSense firewall sees an incoming request on 167.x.x.2 via port 80 or 443 and directs the connection to 192.168.2.1 [i](the IP of the VM with the cloud service)[/i].

4. The pfSense firewall sends the response back to the user [b]from[/b] the correct IP, in this case 167.x.x.2.


I understand how to setup a single publicly routable IP address on a pfSense firewall VM and have it redirect traffic to internal VM's but this question is explicitly about having the pfSense VM configured with multiple publicly routable IP addresses.

Let me know if you need any clarification, I'm not sure if I did a stellar job in explaining this.
0
Comment
Question by:Jon Copeland
2 Comments
 
LVL 1

Accepted Solution

by:
DigitalCrisis earned 500 total points
ID: 40353856
1.) You would set up your VLANs for the LAN side. You do not want to have an IP addressed assigned to the actual LAN card, but just strictly the VLANs.

VLAN10 - 192.168.1.1
VLAN20 - 192.168.2.1
VLAN30 - 192.168.3.1

2.) Create Firewall rules under the Rules sections of the Firewall tab, allowing any to any under each VLAN10-30 or to whatever security settings you need. (Hint: Using Status - System Logs - Firewall is your best friend for diagnosing firewall issues)

3.) Keep your public IP address for your WAN side of the firewall, 167.x.x.1 but add 167.x.x.2 and 167.x.x.3 to the virtual IPs (IP Alias)

4.)  Create a 1:1 NAT under the FIrewall/NAT tab, and enter the external IP address, then the destination will be the internal IP address.

5.) Make sure to create Firewall rules to allow your inbound traffic, (Set Destination 167.x.x.2 allowing HTTP on firewall for destination IP)

I also found this video to pretty well explain it as well:

https://www.youtube.com/watch?v=zrBr0N0WrTY
0
 

Author Comment

by:Jon Copeland
ID: 40355066
I'm updating this thread as I was able to resolve the problem after futzing around with documentation and lots of Googling so this might be useful for anybody doing something similar in the future.  +1 for that video link DigitalCrisis, I used it as a starting point when I found previously.

Here's what I did:

OVH:
Generated a new OVH virtual MAC address in the OVH Manager and assigned the same virtual MAC to all of the public IP's.

pfSense:
Interfaces - WAN: Assigned virtual MAC above.
Interfaces - WAN: Configured IPv4 address with public IP.
Firewall - Virtual IP's: Added entries for all of the public IP's:
Type: IP Alias
Interface: WAN
IP Address: 167.x.x.x/32
Firewall - Virtual IP's: Added entries for all of the local LAN IP's:
Type: IP Alias
Interface: LAN
IP Address: 192.168.x.x/24
Firewall - NAT 1:1: Added entries for all of the 1:1 NAT mappings (each public IP points to a different internal IP):
Interface: WAN
External subnet IP: 167.x.x.x
Internal IP: Type Single Host
Address: 192.168.x.x
Firewall - Rules: Added general rules for the services listening on the VM's with the local LAN IP's, eg:
Interface: WAN
TCP/IP: IPv4
Protocol: TCP
Type: Single host or alias
Destination: 192.168.x.x
Destination port range: From HTTP to HTTP
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now