Netgate Store

Author Topic: Public IPs on lan  (Read 294 times)

0 Members and 1 Guest are viewing this topic.

Offline d234

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Public IPs on lan
« on: February 04, 2018, 08:48:44 am »
Hey,

I have 2 subnets from ISP and one WAN connections.
I want the servers on the lan can accpet the public IPs direct.

The subnet 1:
IPs - 37.19.125.52-62
subnet - 255.255.255.240

The subnet 2:
37.19.126.164-190
GW: 37.19.126.163
SN: 255.255.255.224


the wan IP is 37.19.125.53
the lan IP is 37.19.126.164.

I tried with NAT and etc and i can't setup this work...

Please help, Thank you!

Offline JKnott

  • Hero Member
  • *****
  • Posts: 1464
  • Karma: +65/-17
    • View Profile
Re: Public IPs on lan
« Reply #1 on: February 04, 2018, 01:34:46 pm »
First off, if you have public addresses, you don't use NAT.  NAT was created to get around the IPv4 address shortage, by allowing multiple devices to share one address.  Since you have a subnet, you don't need NAT.  Also, if you have subnet 1 available, why is the WAN address within it.  Do you actually want 2 IPv4 subnets on the same LAN, without benefit of VLANs etc.?
This page unintentionally left blank.

Offline d234

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Public IPs on lan
« Reply #2 on: February 04, 2018, 01:44:08 pm »
Hey,
First, thank you for your response.
I really want to use VLANs but currently does not work for me without VLANs at all ..
Once I turn off the NAT I have no access to the world and vice versa.

What can you advise me about the WAN IP address?
I also want to separate addresses in VLANS and even create virtual subnet.
For example - 37.19.126.164-190 become
To 37.19.126.169/29
And 37.19.126.177/28

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10570
  • Karma: +1209/-324
    • View Profile
Re: Public IPs on lan
« Reply #3 on: February 04, 2018, 03:14:47 pm »
Your ISP should not be putting the 37.19.126.160/27 network as a secondary on the same interface.

They should be routing 37.19.126.160/27 to you on an address on 37.19.125.48/28.

If they do that everything will work fine.
« Last Edit: February 04, 2018, 03:19:20 pm by Derelict »
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline d234

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Public IPs on lan
« Reply #4 on: February 04, 2018, 03:17:56 pm »
Hey,
This Not the subnets of my ISP.
The subnet of my ISP is above in the first post.

When i disable NAT and created VIP for the public ip i can ping from outside but i do not have internet from internal.
What i missing here?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10570
  • Karma: +1209/-324
    • View Profile
Re: Public IPs on lan
« Reply #5 on: February 04, 2018, 03:20:26 pm »
Right I was just correcting it.

They should not be adding the /27 as a secondary network on the WAN interface. They should be routing it to you instead.

If they were routing it they would not be giving you a gateway address for it.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline d234

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Public IPs on lan
« Reply #6 on: February 04, 2018, 03:25:10 pm »
Oh, sorry, I confused you.
I set up the IP of the WAN and the LAN.

My situation is like this.
I have 2 subnets.
One -
37.19.126.164-190
GW: 37.19.126.163
SN: 255.255.255.224

The second -
37.19.125.52-62
255.255.255.240 GW
37.19.125.51 SN

They are all routed to me through one cable that reaches my WAN port.

I want to use these external addresses on the servers behind the pfsense.
I read that I need to turn off the NAT and create a VIP, that's what I did and I manage to do PING server but from the server I have no internet out.

What else do I need to do?
Would appreciate help.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10570
  • Karma: +1209/-324
    • View Profile
Re: Public IPs on lan
« Reply #7 on: February 04, 2018, 03:32:48 pm »
This is the difference:


From the ISP's perspective:

Not good:

interface GigabitEthernet0/0
  ip address 37.19.125.49 255.255.255.240
  ip address 37.19.126.163 255.255.255.224 secondary



Good:

interface GigabitEthernet0/0
  ip address 37.19.125.49 255.255.255.240

ip route 37.19.126.160 255.255.255.224 37.19.125.52



If they are routing it you do not need to assign VIPs or anything. You just address the inside interface properly and disable NAT.

If you do not have ANY VIPS from the second network on your WAN interface and you packet capture and do something like ping an address on the secondary network from the outside you will see one of two things:

The ISP does an ARP request for the address - this means they have configured you the Not good way.

The ICMP echo request will arrive on the WAN interface with the address on the secondary network as the destination address and your router's WAN MAC address as the destination MAC address. This means it is routed to you and you can proceed.
« Last Edit: February 04, 2018, 03:37:52 pm by Derelict »
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline d234

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Public IPs on lan
« Reply #8 on: February 04, 2018, 03:37:41 pm »
Ok, I can do ping to second subnet.
I can do ping to 165 (The server).
But i can't do ping or else from the server...
Is it related to ISP?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10570
  • Karma: +1209/-324
    • View Profile
Re: Public IPs on lan
« Reply #9 on: February 04, 2018, 03:38:16 pm »
You are not providing enough information.

I have no idea what the 165 server is. Please be complete and specific.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline d234

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Public IPs on lan
« Reply #10 on: February 04, 2018, 03:49:53 pm »
See the pictures

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10570
  • Karma: +1209/-324
    • View Profile
Re: Public IPs on lan
« Reply #11 on: February 04, 2018, 04:01:03 pm »
Right. Delete the Virtual IP and do the test I described above.  Pinging the VIP address from the outside is pinging the VIP address, not the inside server at all.

If they ARP for it, you will have nothing but problems.

If they send the traffic to your WAN MAC address addressed to the .165 address it can be made to work.

« Last Edit: February 04, 2018, 04:04:39 pm by Derelict »
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline d234

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Public IPs on lan
« Reply #12 on: February 04, 2018, 04:03:37 pm »
Okay I understand.
Thank you so much for help!

Offline SammyWoo

  • Full Member
  • ***
  • Posts: 209
  • Karma: +9/-4
    • View Profile
Re: Public IPs on lan
« Reply #13 on: February 10, 2018, 10:36:38 am »
To expose specific internal servers to the outside, people either place them in the DMZ, or use port forwarding.  Turning off NAT is just a foreign concept... NAT is your firewall, you want to bypass the firewall and expose your internal to the outside world? Plus unless you purchased an IP for EACH of your clients, the NAT is there so that you can have more clients than purchased static WAN IP.

if this is what u want anyway, never mind, I am no help.