pfSense Support Subscription

Author Topic: public IPs for machines behind pfsense  (Read 3705 times)

0 Members and 1 Guest are viewing this topic.

Offline forpfsensebaby

  • Newbie
  • *
  • Posts: 4
    • View Profile
public IPs for machines behind pfsense
« on: May 07, 2012, 04:15:20 am »
Hi:

First accept my apologies if this should be covered elsewhere

I am new to PFsense, and I am going to apply this to my small IDC business, I have several IP blocks /25 and /24, and I have searched a while but haven't really found any thing which indicates how to

"set PFsense and give all machines public IPs directly under it"

by saying "directly" I mean if I own 66.55.99.0/24, and set PFsense as 66.55.99.100, 16 machines under it, their IPs are 66.55.77.101,102.....106.

I don't want to use any port forwarding or 1:1 NAT cuz I will have many VPSes under the physical machines by VMware, VBOX and XEN, it's better to have IPs directly instead of port forwarding to internal IP addresses.

does somebody know/have already done the setting for this? what am I going to do? bridge?

thank you very very much
« Last Edit: May 08, 2012, 02:55:19 am by forpfsensebaby »

Offline dLockers

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #1 on: May 22, 2012, 11:06:05 am »
MS Server 8 won't allow public IP's, just an FYI. Might want to get used to that idea.

Offline podilarius

  • Hero Member
  • *****
  • Posts: 1764
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #2 on: May 22, 2012, 12:20:21 pm »
Quote
MS Server 8 won't allow public IP's, just an FYI. Might want to get used to that idea.

That would be very dumb on Microsoft's part. Especially since almost all of IPV6 is route-able on the internet. They are also going to cause problems for those who put them live on the internet as web server or those who are using a transparent firewall.

For you problem at hand, you have two options.

You can use virtual IPs and NAT with rules so as to translate External IPs to Internal. This looks like something you don't want to do.

The second option is to setup a bridge. In this case it is a transparent firewall. You will only set 1 IP on the LAN and then filter all traffic on the WAN.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 2889
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #3 on: May 22, 2012, 01:23:59 pm »
Quote
MS Server 8 won't allow public IP's

Where did you pick up that piece of FUD?

Are you thinking of maybe SBS 2008, which is specialty build?

http://support.microsoft.com/kb/957717
Unable to Install SBS 2008 with a Public IP Address
« Last Edit: May 22, 2012, 01:29:54 pm by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Have I helped you, want to say thanks?  Donate to pfsense the cost of a beer http://pfsense.org/donate.html

Offline dLockers

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #4 on: May 23, 2012, 03:17:02 am »
Quote
MS Server 8 won't allow public IP's

Where did you pick up that piece of FUD?

Are you thinking of maybe SBS 2008, which is specialty build?

http://support.microsoft.com/kb/957717
Unable to Install SBS 2008 with a Public IP Address
Could be.

What's a FUD?

Offline iFloris

  • Full Member
  • ***
  • Posts: 168
  • one layer of information removed
    • View Profile
    • Small personal site
Re: public IPs for machines behind pfsense
« Reply #5 on: May 23, 2012, 04:57:35 am »
@dlockers, unrelated to topic. FUD is an expression.
one layer of information
removed

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 2889
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #6 on: May 23, 2012, 06:07:15 am »
This is true it can stand for that, it can also stand for "F_cked Up Disinformation"

Either way works really with your statement ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Have I helped you, want to say thanks?  Donate to pfsense the cost of a beer http://pfsense.org/donate.html

Offline dLockers

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #7 on: May 23, 2012, 06:12:51 am »
lol. I was partly right (it was A server flavour, right?  :D :D :-*).

It's still bad practice to give a host a public IP.
« Last Edit: May 23, 2012, 06:25:14 am by dLockers »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 2889
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #8 on: May 23, 2012, 06:19:05 am »
"It's still bad practice to give a host a public IP."

Not if its a public server, say Web Server ;)  Email Server, FTP Server, etc. etc. etc..

If the host is connected to the public net to provide something to the public net then yes it would need a public IP.

So your suggesting that every server should be behind a NAT?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Have I helped you, want to say thanks?  Donate to pfsense the cost of a beer http://pfsense.org/donate.html

Offline dLockers

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #9 on: May 23, 2012, 06:23:42 am »
"It's still bad practice to give a host a public IP."

Not if its a public server, say Web Server ;)  Email Server, FTP Server, etc. etc. etc..

If the host is connected to the public net to provide something to the public net then yes it would need a public IP.

So your suggesting that every server should be behind a NAT?
For additional protection I'd say so. Otherwise you are putting all your faith in software firewall solutions.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 2889
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #10 on: May 23, 2012, 10:22:08 am »
"Otherwise you are putting all your faith in software firewall solutions."

Again more FUD!!  Just because a host has a public IP, does not mean its not behind a firewall that is not doing NAT.

- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Have I helped you, want to say thanks?  Donate to pfsense the cost of a beer http://pfsense.org/donate.html

Offline dLockers

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #11 on: May 23, 2012, 10:40:59 am »
"Otherwise you are putting all your faith in software firewall solutions."

Again more FUD!!  Just because a host has a public IP, does not mean its not behind a firewall that is not doing NAT.


How about stop being a dick, and explain then? I'm here to learn as much as everyone else.

I have always been told to use NAT and put servers on a separate LAN. Without putting special configurations, I didn't know you could firewall effectively if you have a DMZ'ed host with a public IP.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 2889
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #12 on: May 23, 2012, 11:40:54 am »
Not trying to be a "dick" I assure you - its just that your statements are FUD..  If you are not sure then you should word them as questions and not what "seems" to be a FACT in your mind?

example.
----
Quote
So your suggesting that every server should be behind a NAT?

For additional protection I'd say so. Otherwise aren't you just putting all your faith in software firewall solutions on the host?.
----

Not sure what firewalls you have worked with in the past, but I assure you you do not have to be behind a nat to process rules that either allow or deny access.   Not sure where you would of gotten that idea other than maybe home type routers, and normally those routers don't even really create a real DMZ, more of what they call a DMZ Host  - which is just the forwarding of ports that are not otherwise forwarded already.

More than happy to help you with any questions you have..  Who told you this "I have always been told to use NAT and put servers on a separate LAN"..  This is just FUD plain and simple.

I think its already been brought up - if this is your understanding, what do think will happen with IPv6?  Do you think NAT will still be used?

Don't get me wrong, not saying that NAT is not a useful tool - that sure can be used in protecting your hosts, or for sharing a IP, etc. etc.  Lots of use for it.  But there are protocols that just do not work, or do not work well when behind a NAT.   And created extra overhead when its just not needed, there are places and uses for nat and or napt sure.  But it is not the end all get all of protecting your servers.
« Last Edit: May 23, 2012, 11:48:24 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Have I helped you, want to say thanks?  Donate to pfsense the cost of a beer http://pfsense.org/donate.html

Offline podilarius

  • Hero Member
  • *****
  • Posts: 1764
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #13 on: May 23, 2012, 12:42:54 pm »
I agree ... a bridging firewall (or transparent firewall) is just as effective IMO. Plus, you get to hide your firewall so there is no gateway for attackers to attack. Not saying that won't stop attackers from trying or succeeding .. just makes it a little more difficult. But to just say that NAT is the only right way is a bit out there especially if you are unsure.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 2889
    • View Profile
Re: public IPs for machines behind pfsense
« Reply #14 on: May 23, 2012, 12:59:49 pm »
Does not have to be a bridging or transparent firewall either.  But that is an option as well without NAT.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Have I helped you, want to say thanks?  Donate to pfsense the cost of a beer http://pfsense.org/donate.html