After searching the archives, the forum and conferring with Mr. Google,
I've not found anything about the best/correct strategy to use to support
multiple LAN subnets on a single LAN port.
The Questions
=============
- is using address aliases the correct/optimal/best way to create the WAN
aliases?
- if using address aliases is *not* the best way, what is?
- if using address aliases *is* the best way, I assume that the commands
should be entered in a /etc/rc script:
* if a /etc/rc script is the right way, what's the rc processing flow
on FreeBSD ... i.e., usually there's a standard script naming that will
automatically cause it to get included in the startup processing ... what
is it on this *NIX?
* if a /etc/rc script isn't the right way, what is (I'm not familiar
with pearl or php but am very comfortable with shell scripting)?
- are there any problems with the overall approach we're using, here?
TIA
Background Info
===============
Graphically, we have (all addresses are "made up", LAN switches omitted)
... view in mono-spaced font:
Aliased IPs: Ultimately Mapped To:
+------+ 172.16.1.50 WAN : domain1.com
| | 172.16.2.50 WAN2: domain2.com
| | 172.16.3.50 WAN3: domain3.com
|Server|----+ WAN
|4.4.8.4
| | | +-------+ +-----------+
|domain1.com
| | | 172.16.1.1| | | 4.4.8.4 | +------+
|+------------
+------+ | 172.16.2.1| |--+ +--| | |
| 172.16.3.1| | WAN2 | | +---+ |
domain2.com
+=======+===+=========|pfSense|--------------+--|Switch|--|DSL|--+------------
| | | 1.2RC4| 4.4.16.4 | | +---| |
4.4.16.4
+-----+ +-----+ | |---+ +--| | |
| Mac | .... | PC | | | | WAN3 | +------|
+------------
+-----+ +-----+ +-------+ +----------+
domain3.com
172.16.1.100 172.16.1.200 4.4.32.4
4.4.32.4
Being 2 small offices, our pfSense setup and requirements are relatively
simple:
- we have a single LAN port and 3 WAN ports for 3 DHCP-assigned static
public IP addresses
- since the DHCP assignment relies on a MAC address, we have the "normal"
WAN port plus WAN2 and WAN3 (i.e., OPT1 and OPT2)
- Outbound NAT is set to "Automatic outbound NAT rule generation (IPsec
passthrough)"
- all 3 WANs have ports mapped onto a LAN-resident server that supports
the web serving for the 3 different domain names via virtual hosts based
upon IP:port binding using the 3 different subnets (the server's single
port is aliased to reside on the 3 subnets)
- the WAN port is the only one that sees any "general" LAN-resident
traffic (i.e., other than the traffic that's mapped to/from the server)
and the WAN2/WAN3 ports only see/allow traffic that's mapped onto the
LAN-resident server
- I split our DNS services for private/public address access so NAT
reflection is not an issue (being a development shop, we have multiple
internal-only servers as well)
- we have a second basic LAN/WAN-only pfSense at another office with an
IPSec tunnel running and we have PPTP configured
What's Been Done
================
What I've done is simply added address aliases on the otherwise
172.16.1.1 LAN port via
ifconfig sk0 alias 172.16.2.1/24
ifconfig sk0 alias 172.16.3.1/24
(the Web interface then reports it as the last-added alias)
The only rules are:
- Port Forward: for each of WAN/WAN2/WAN3, allow incoming HTTP/HTTPS ...
e.g.:
allow TCP to port 80 on WAN2/4.4.16.4/domain2.com into 172.16.2.50 port 80
- Firewall Rules: for each of WAN/WAN2/WAN3, allow inbound HTTP/HTTPS ...
e.g.:
allow TCP from any IP on any port in via
gateway/WAN2/4.4.16.4/domain2.com to 172.16.2.50 port 80
- Firewall Rules: for each of the LAN subnets, allow all out via the
mapped WAN/gateway ... e.g.:
allow any protocol from 172.16.2.0/24 on any port to any destination out
on any port via gateway/WAN2/4.4.16.4/domain2.com (this could be more
restrictive for WAN2 & WAN3)
This all seems to work quite well but I need to automate the aliasing, if
that's the end solution.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
