Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-29 Thread Ryan Coleman 
The thing is right now I’m on my Comcast account and the other server is on a 
completely different subnet. Yes on my same network but it goes out via 
Comcast, through them to US Internet to the firewall downstairs and into the VM 
that is on that specific network.


> On Jun 29, 2015, at 10:52 AM, Chris Bagnall  wrote:
> 
> On 29/6/15 4:41 pm, Ryan Coleman wrote:
>> I don’t know why I cannot access ANY of it from my other network, though… I 
>> have to be outside the building to see it.
> 
> System -> Advanced -> NAT Reflection perhaps?
> 
> Might be worth playing with some of the options in there...
> 
> (but personally, I'd just set a local DNS override so www.test.d3photo.com 
> resolves to the server's internal LAN IP)
> 
> Kind regards,
> 
> Chris
> -- 
> This email is made from 100% recycled electrons
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-29 Thread Chris Bagnall 

On 29/6/15 4:41 pm, Ryan Coleman wrote:

I don’t know why I cannot access ANY of it from my other network, though… I 
have to be outside the building to see it.


System -> Advanced -> NAT Reflection perhaps?

Might be worth playing with some of the options in there...

(but personally, I'd just set a local DNS override so 
www.test.d3photo.com resolves to the server's internal LAN IP)


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-29 Thread Ryan Coleman 
It’s working. www.test.d3photo.com 

I don’t know why I cannot access ANY of it from my other network, though… I 
have to be outside the building to see it.

> On Jun 27, 2015, at 10:03 PM, Ryan Coleman  wrote:
> 
> I agree. But if they’re redirecting all the traffic to a specific MAC address 
> (which they say are - the firewall I have has to be registered) I guess you 
> could, in theory, do some L2 voodoo and make it work.
> 
> The email from the support tech earlier this week:
>> The usable IP range and gateway IP will depend on your firewall setup, for 
>> example if you were to use a 1-to-1 NAT to internal IP addresses for each 
>> public IP, you would be able to use every address in the range.
> 
> 
> And I wouldn’t believe it except that when I ping the Network address (.16) 
> from my existing ISP (Comcast) it shows up on the firewall as traffic.
> 
> 
> 
>> On Jun 27, 2015, at 9:47 PM, Chris Bagnall  wrote:
>> 
>> On 28 Jun 2015, at 03:35, Ryan Coleman  wrote:
>>> The ISP has actually stated otherwise, which is the reason I brought it up.
>> 
>> That’s a new one on me. If you get that working, I’d be fascinated to hear 
>> how - it seems to go against the basics of IP networks.
>> 
>> Kind regards,
>> 
>> Chris
>> -- 
>> C.M. Bagnall
>> This email is made from 100% recycled electrons
>> 
>> ___
>> pfSense mailing list
>> https://lists.pfsense.org/mailman/listinfo/list
>> Support the project with Gold! https://pfsense.org/gold
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-27 Thread Ryan Coleman 
I agree. But if they’re redirecting all the traffic to a specific MAC address 
(which they say are - the firewall I have has to be registered) I guess you 
could, in theory, do some L2 voodoo and make it work.

The email from the support tech earlier this week:
> The usable IP range and gateway IP will depend on your firewall setup, for 
> example if you were to use a 1-to-1 NAT to internal IP addresses for each 
> public IP, you would be able to use every address in the range.


And I wouldn’t believe it except that when I ping the Network address (.16) 
from my existing ISP (Comcast) it shows up on the firewall as traffic.



> On Jun 27, 2015, at 9:47 PM, Chris Bagnall  wrote:
> 
> On 28 Jun 2015, at 03:35, Ryan Coleman  wrote:
>> The ISP has actually stated otherwise, which is the reason I brought it up.
> 
> That’s a new one on me. If you get that working, I’d be fascinated to hear 
> how - it seems to go against the basics of IP networks.
> 
> Kind regards,
> 
> Chris
> -- 
> C.M. Bagnall
> This email is made from 100% recycled electrons
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-27 Thread Chris Bagnall 
On 28 Jun 2015, at 03:35, Ryan Coleman  wrote:
> The ISP has actually stated otherwise, which is the reason I brought it up.

That’s a new one on me. If you get that working, I’d be fascinated to hear how 
- it seems to go against the basics of IP networks.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-27 Thread Ryan Coleman 
The ISP has actually stated otherwise, which is the reason I brought it up.

I am going to try the VLAN route since physical OPT1 will be connected to 
another ISP.

> On Jun 27, 2015, at 9:32 PM, Chris Bagnall  wrote:
> 
> On 28 Jun 2015, at 02:38, Ryan Coleman  wrote:
>> which is the preferred mind you because it would give me all three 
>> additional IPs (gateway, network address and broadcast) as addressable…
> 
> No it won’t. Your network is 18.25.125.16/29. You still have to follow the 
> normal rules about gateway, network and broadcast - you can’t get around 
> that. If you need more than the 5 usable addresses, you need to ask your 
> service provider to give you a /28. This is not a pfSense limitation.
> 
> So in the example I gave, I used .17 for pfSense’s OPT1 interface. This gives 
> you .18 - .22 inclusive for your stuff. .23 is the broadcast.
> 
> Kind regards,
> 
> Chris
> -- 
> C.M. Bagnall
> This email is made from 100% recycled electrons
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-27 Thread Chris Bagnall 
On 28 Jun 2015, at 02:38, Ryan Coleman  wrote:
> which is the preferred mind you because it would give me all three additional 
> IPs (gateway, network address and broadcast) as addressable…

No it won’t. Your network is 18.25.125.16/29. You still have to follow the 
normal rules about gateway, network and broadcast - you can’t get around that. 
If you need more than the 5 usable addresses, you need to ask your service 
provider to give you a /28. This is not a pfSense limitation.

So in the example I gave, I used .17 for pfSense’s OPT1 interface. This gives 
you .18 - .22 inclusive for your stuff. .23 is the broadcast.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-27 Thread Ryan Coleman 
So if I get this going - which is the preferred mind you because it would give 
me all three additional IPs (gateway, network address and broadcast) as 
addressable… what do I set in the Virtual IP table? 

> 3) you might be able to define virtual IPs for 18.25.125.18 .19 .20 .21 .22 
> on OPT1 - this will allow pfSense to handle ARP replies for those IPs. You 
> may then be able to define a 1:1 rule as follows (for example):
> Interface External IP Internal IP Destination IP
> OPT1  18.25.125.18192.168.16.5*

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-27 Thread Chris Bagnall 
> So assume I have this: 12.34.56.78 for my firewall address (as assigned to me 
> by the ISP).
> And I have 18.25.125.16/29 for my statics.
> And behind the firewall I am running 192.168.16.0/24
> How do I set it up there?

WAN on 12.34.56.78
LAN on 192.168.16.0/24
OPT1 on 18.25.125.17/29 (or any other IP from the range - I’ve gone with the 
first usable IP for simplicity)

Your LAN works as it does currently, NATing to 12.34.56.78.

You then have 3 choices:

1) give your servers public IPs and place them directly onto OPT1 (this doesn’t 
have to be a separate physical interface, no reason why it couldn’t be a tagged 
VLAN). They would then use 18.25.125.17 as their default gw.

2) dual home your servers so they have both a public IP and an RFC1918 IP.

3) you might be able to define virtual IPs for 18.25.125.18 .19 .20 .21 .22 on 
OPT1 - this will allow pfSense to handle ARP replies for those IPs. You may 
then be able to define a 1:1 rule as follows (for example):
Interface   External IP Internal IP Destination IP
OPT118.25.125.18192.168.16.5*

It’s important that the range 18.25.125.16/29 is defined on an interface on 
pfSense *somewhere*, even if - as I said above - it’s not assigned a physical 
NIC.

Kind regards,

Chris
-- 
C.M. Bagnall
This email is made from 100% recycled electrons

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-27 Thread Ryan Coleman 
This would make sense except for one thing: the WAN IP is not anywhere near the 
range of the static addresses they gave me.

So assume I have this: 12.34.56.78 for my firewall address (as assigned to me 
by the ISP).
And I have 18.25.125.16/29 for my statics.
And behind the firewall I am running 192.168.16.0/24

How do I set it up there? I tried 1:1 and I saw the traffic coming from my 
other connection trying to load a web page (Apache - installed and running 
fine) and my ICMP traffic. And using the Firewall System Log tab I did the easy 
rule pass but neither the ICMP nor the Web traffic were passing through and 
back.

Yes, I have confirmed the server gets out to the internet and through the new 
fiber connection only. 



> On Jun 25, 2015, at 3:34 PM, ys1338  wrote:
> 
> 
> 
> I believe VIPs can be used in this scenario. 
> You would have pfSense have the single main IP for its WAN and the remaining 
> block as VIPs. You then could use NAT to forward them to your LAN port 
> segment.
> -Yaroslav
> 
>  Original message 
> From: Steve Yates mailto:st...@teamits.com>> 
> Date: 06/25/2015  4:11 PM  (GMT-05:00) 
> To: pfSense Support and Discussion Mailing List  <mailto:list@lists.pfsense.org>> 
> Subject: Re: [pfSense] Setting up for 1:1 with block of statics? 
> 
> Ryan Coleman wrote on Thu, Jun 25 2015 at 12:00 pm:
> 
>> Ok so I would be better suited, then, utilizing a third firewall?
>> 
>> I have 2 right now on our Cable service: one for basic LAN traffic and one 
>> for
>> specific services behind the firewall (SMTP, FTP, etc.).
>> 
>> I could have this new FTTO/FTTP connection firewall actually do the specific
>> services one, too, and route for the IPs?
>> 
>> Here’s what their email said (yes, I did change the IPs to private to keep 
>> them
>> off the net):
>>> NOTE: As soon as the remainder of your service setup completed your static
>> IP address will be live with this provided info. The rest of the service 
>> setup
>> should be completed very soon. Additionally your 8-block of IP address are 
>> also
>> provisioned. They are being routed to your firewall at 10.0.12.222 Network:
>> 192.168.120.16 Netmask: 255.255.255.248 You can contact tech support when
>> you are ready to change your MAC address.
>> 
>> As it stands right now the firewall is definitely accessible remotely. And I 
>> like
>> that. It sounds like I would get 6 functional IPs out of the group (17-21 
>> and .222)
> 
>   Will the servers/PCs behind the firewall have public IPs?  If not, and 
> you want to use NAT, then I don't think one pfSense will work for you.  I 
> suspect you'd need one that takes the packet for 192.168.120.17 arriving at 
> 10.0.12.222, and passes it to its "LAN" network.  Then you could set up a 
> second pfSense or router that uses 192.168.120.17 as its WAN IP address, uses 
> other 192.168.120.x IPs as IP aliases (on WAN), and provides NAT to a private 
> IP range.
> 
>   Perhaps someone can jump in if there is a way to combine the two 
> functions.  Maybe with four NICs and a convoluted setup of going out NIC 2 
> back into NIC 3, with NIC 4 the private IP network.  Seems error-prone, 
> though.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list 
> <https://lists.pfsense.org/mailman/listinfo/list>
> Support the project with Gold! https://pfsense.org/gold 
> <https://pfsense.org/gold>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list 
> <https://lists.pfsense.org/mailman/listinfo/list>
> Support the project with Gold! https://pfsense.org/gold 
> <https://pfsense.org/gold>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-25 Thread Chris Bagnall 

On 25/6/15 9:11 pm, Steve Yates wrote:

If not, and you want to use NAT, then I don't think one pfSense will work for 
you.



Perhaps someone can jump in if there is a way to combine the two functions.


You may be able to do something with Advanced Outbound NAT. Assign your 
public IP range to an OPT interface (for any servers that you do want to 
have public IPs), then you can either NAT everything on the LAN to your 
routing IP (10.0.12.222 in your example), or you can create AON rules to 
use one of your other IPs.


Kind regards,

Chris
--
This email is made from 100% recycled electrons
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-25 Thread ys1338 


I believe VIPs can be used in this scenario. 
You would have pfSense have the single main IP for its WAN and the remaining 
block as VIPs. You then could use NAT to forward them to your LAN port segment.
-Yaroslav

 Original message 
From: Steve Yates  
Date: 06/25/2015  4:11 PM  (GMT-05:00) 
To: pfSense Support and Discussion Mailing List  
Subject: Re: [pfSense] Setting up for 1:1 with block of statics? 

Ryan Coleman wrote on Thu, Jun 25 2015 at 12:00 pm:

> Ok so I would be better suited, then, utilizing a third firewall?
> 
> I have 2 right now on our Cable service: one for basic LAN traffic and one for
> specific services behind the firewall (SMTP, FTP, etc.).
> 
> I could have this new FTTO/FTTP connection firewall actually do the specific
> services one, too, and route for the IPs?
> 
> Here’s what their email said (yes, I did change the IPs to private to keep 
> them
> off the net):
>> NOTE: As soon as the remainder of your service setup completed your static
> IP address will be live with this provided info. The rest of the service setup
> should be completed very soon. Additionally your 8-block of IP address are 
> also
> provisioned. They are being routed to your firewall at 10.0.12.222 Network:
> 192.168.120.16 Netmask: 255.255.255.248 You can contact tech support when
> you are ready to change your MAC address.
> 
> As it stands right now the firewall is definitely accessible remotely. And I 
> like
> that. It sounds like I would get 6 functional IPs out of the group (17-21 and 
> .222)

Will the servers/PCs behind the firewall have public IPs?  If not, and 
you want to use NAT, then I don't think one pfSense will work for you.  I 
suspect you'd need one that takes the packet for 192.168.120.17 arriving at 
10.0.12.222, and passes it to its "LAN" network.  Then you could set up a 
second pfSense or router that uses 192.168.120.17 as its WAN IP address, uses 
other 192.168.120.x IPs as IP aliases (on WAN), and provides NAT to a private 
IP range.

Perhaps someone can jump in if there is a way to combine the two 
functions.  Maybe with four NICs and a convoluted setup of going out NIC 2 back 
into NIC 3, with NIC 4 the private IP network.  Seems error-prone, though.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-25 Thread Steve Yates 
Ryan Coleman wrote on Thu, Jun 25 2015 at 12:00 pm:

> Ok so I would be better suited, then, utilizing a third firewall?
> 
> I have 2 right now on our Cable service: one for basic LAN traffic and one for
> specific services behind the firewall (SMTP, FTP, etc.).
> 
> I could have this new FTTO/FTTP connection firewall actually do the specific
> services one, too, and route for the IPs?
> 
> Here’s what their email said (yes, I did change the IPs to private to keep 
> them
> off the net):
>> NOTE: As soon as the remainder of your service setup completed your static
> IP address will be live with this provided info. The rest of the service setup
> should be completed very soon. Additionally your 8-block of IP address are 
> also
> provisioned. They are being routed to your firewall at 10.0.12.222 Network:
> 192.168.120.16 Netmask: 255.255.255.248 You can contact tech support when
> you are ready to change your MAC address.
> 
> As it stands right now the firewall is definitely accessible remotely. And I 
> like
> that. It sounds like I would get 6 functional IPs out of the group (17-21 and 
> .222)

Will the servers/PCs behind the firewall have public IPs?  If not, and 
you want to use NAT, then I don't think one pfSense will work for you.  I 
suspect you'd need one that takes the packet for 192.168.120.17 arriving at 
10.0.12.222, and passes it to its "LAN" network.  Then you could set up a 
second pfSense or router that uses 192.168.120.17 as its WAN IP address, uses 
other 192.168.120.x IPs as IP aliases (on WAN), and provides NAT to a private 
IP range.

Perhaps someone can jump in if there is a way to combine the two 
functions.  Maybe with four NICs and a convoluted setup of going out NIC 2 back 
into NIC 3, with NIC 4 the private IP network.  Seems error-prone, though.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-25 Thread Ryan Coleman 
Ok so I would be better suited, then, utilizing a third firewall?

I have 2 right now on our Cable service: one for basic LAN traffic and one for 
specific services behind the firewall (SMTP, FTP, etc.).

I could have this new FTTO/FTTP connection firewall actually do the specific 
services one, too, and route for the IPs? 

Here’s what their email said (yes, I did change the IPs to private to keep them 
off the net): 
> NOTE: As soon as the remainder of your service setup completed your static IP 
> address will be live with this provided info. The rest of the service setup 
> should be completed very soon. Additionally your 8-block of IP address are 
> also provisioned. They are being routed to your firewall at 10.0.12.222 
> Network: 192.168.120.16 Netmask: 255.255.255.248 You can contact tech support 
> when you are ready to change your MAC address.

As it stands right now the firewall is definitely accessible remotely. And I 
like that. It sounds like I would get 6 functional IPs out of the group (17-21 
and .222)



> On Jun 25, 2015, at 10:51 AM, Steve Yates  wrote:
> 
> Ryan Coleman wrote on Thu, Jun 25 2015 at 10:03 am:
> 
>> So I got FTTO from the local non-telco and they have a static IP for my 
>> firewall
>> separate from my assigned block and my block is definitely not in a routable
>> space with the master IP.
>> 
>> Let’s assume the configuration is something like this…
>> 
>> Firewall: 10.0.12.55/30 -(Gateway, for sake of argument, is 10.0.12.56)
>> Statics: 192.168.120.16/29 (so .17 through .21 are usable)… they say they are
>> forwarding to the firewall…
> 
>   Assuming you've used private IPs in your example and actually have 
> public IPs on both sides, what they've done is to route the entire subnet to 
> you.  pfSense's WAN would use 10.0.12.56 and computers on the LAN could use 
> the public IPs directly.  pfSense is what would do the routing between them.  
> pfSense would use, say, 192.168.120.17 for its LAN IP and that would be the 
> gateway on your computers.  So .18-.22 would be usable on your "LAN" side.
> 
> --
> 
> Steve Yates
> ITS, Inc.
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Setting up for 1:1 with block of statics?

2015-06-25 Thread Steve Yates 
Ryan Coleman wrote on Thu, Jun 25 2015 at 10:03 am:

> So I got FTTO from the local non-telco and they have a static IP for my 
> firewall
> separate from my assigned block and my block is definitely not in a routable
> space with the master IP.
> 
> Let’s assume the configuration is something like this…
> 
> Firewall: 10.0.12.55/30 -(Gateway, for sake of argument, is 10.0.12.56)
> Statics: 192.168.120.16/29 (so .17 through .21 are usable)… they say they are
> forwarding to the firewall…

Assuming you've used private IPs in your example and actually have 
public IPs on both sides, what they've done is to route the entire subnet to 
you.  pfSense's WAN would use 10.0.12.56 and computers on the LAN could use the 
public IPs directly.  pfSense is what would do the routing between them.  
pfSense would use, say, 192.168.120.17 for its LAN IP and that would be the 
gateway on your computers.  So .18-.22 would be usable on your "LAN" side.

--

Steve Yates
ITS, Inc.


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] Setting up for 1:1 with block of statics?

2015-06-25 Thread Ryan Coleman 
So I got FTTO from the local non-telco and they have a static IP for my 
firewall separate from my assigned block and my block is definitely not in a 
routable space with the master IP.

Let’s assume the configuration is something like this…

Firewall: 10.0.12.55/30 -(Gateway, for sake of argument, is 10.0.12.56)
Statics: 192.168.120.16/29 (so .17 through .21 are usable)… they say they are 
forwarding to the firewall…

I’m used to putting dual NICs in to the VMs and having them pair out but this 
is a new set up for me.  

Now another item: I was thinking of using Mod Proxy in Apache to do multiple 
virtual domains on different VMs for users - would all this still be 
compatible? Keep in mind I haven’t done a lot of research on mod-proxy and it 
might officially be broken or unsupported.

Thanks!
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold