Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to configure pfSense with multiple WAN IP addresses for 1:1 NAT?

Posted on 2014-09-22
2
Medium Priority
?
10,876 Views
Last Modified: 2014-10-01
Hi all,

First time poster here.  

I have an OVH dedicated server with a /28 failover IP block. Ideally I'd like to use a single software firewall to protect all of the VM's running within the virtualization hypervisor running Proxmox 3.2 but I'm unsure as to the networking technicalities in order to make this work.  I feel this may be more of a pfSense thing than an OVH/Proxmox thing.

OVH:
At OVH I have the IP's configured as follows (note all of the MAC addresses are the same):
ovh_config
pfSense:
How would I assign multiple routable public IP addresses to the WAN interface of a pfSense firewall so that it can route packets to the correct IP of the VM?

Something like this, where 167.x.x.x is a routable public IP address:

pfSense VM                        VM IP                         Service
=========================================================================
167.x.x.1          ->          192.168.1.1/24        ->        firewall
167.x.x.2          ->          192.168.2.1/24        ->        cloud
167.x.x.3          ->          192.168.3.1/24        ->        connect

Open in new window


So, for instance, say somebody tries to connect to the web service listening on cloud.company.net.  

1. They input cloud.company.net into their browser

2. The DNS A record for [i]cloud.company.net[/i] is resolved and directs the user to 167.x.x.2

3. The pfSense firewall sees an incoming request on 167.x.x.2 via port 80 or 443 and directs the connection to 192.168.2.1 [i](the IP of the VM with the cloud service)[/i].

4. The pfSense firewall sends the response back to the user [b]from[/b] the correct IP, in this case 167.x.x.2.


I understand how to setup a single publicly routable IP address on a pfSense firewall VM and have it redirect traffic to internal VM's but this question is explicitly about having the pfSense VM configured with multiple publicly routable IP addresses.

Let me know if you need any clarification, I'm not sure if I did a stellar job in explaining this.
0
Comment
Question by:Jon Copeland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
DigitalCrisis earned 2000 total points
ID: 40353856
1.) You would set up your VLANs for the LAN side. You do not want to have an IP addressed assigned to the actual LAN card, but just strictly the VLANs.

VLAN10 - 192.168.1.1
VLAN20 - 192.168.2.1
VLAN30 - 192.168.3.1

2.) Create Firewall rules under the Rules sections of the Firewall tab, allowing any to any under each VLAN10-30 or to whatever security settings you need. (Hint: Using Status - System Logs - Firewall is your best friend for diagnosing firewall issues)

3.) Keep your public IP address for your WAN side of the firewall, 167.x.x.1 but add 167.x.x.2 and 167.x.x.3 to the virtual IPs (IP Alias)

4.)  Create a 1:1 NAT under the FIrewall/NAT tab, and enter the external IP address, then the destination will be the internal IP address.

5.) Make sure to create Firewall rules to allow your inbound traffic, (Set Destination 167.x.x.2 allowing HTTP on firewall for destination IP)

I also found this video to pretty well explain it as well:

https://www.youtube.com/watch?v=zrBr0N0WrTY
0
 

Author Comment

by:Jon Copeland
ID: 40355066
I'm updating this thread as I was able to resolve the problem after futzing around with documentation and lots of Googling so this might be useful for anybody doing something similar in the future.  +1 for that video link DigitalCrisis, I used it as a starting point when I found previously.

Here's what I did:

OVH:
Generated a new OVH virtual MAC address in the OVH Manager and assigned the same virtual MAC to all of the public IP's.

pfSense:
Interfaces - WAN: Assigned virtual MAC above.
Interfaces - WAN: Configured IPv4 address with public IP.
Firewall - Virtual IP's: Added entries for all of the public IP's:
Type: IP Alias
Interface: WAN
IP Address: 167.x.x.x/32
Firewall - Virtual IP's: Added entries for all of the local LAN IP's:
Type: IP Alias
Interface: LAN
IP Address: 192.168.x.x/24
Firewall - NAT 1:1: Added entries for all of the 1:1 NAT mappings (each public IP points to a different internal IP):
Interface: WAN
External subnet IP: 167.x.x.x
Internal IP: Type Single Host
Address: 192.168.x.x
Firewall - Rules: Added general rules for the services listening on the VM's with the local LAN IP's, eg:
Interface: WAN
TCP/IP: IPv4
Protocol: TCP
Type: Single host or alias
Destination: 192.168.x.x
Destination port range: From HTTP to HTTP
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question