Thanks Chris, I'd appreciate that. If you want ping me via
http://www.derman.com/Contact/AboutUs-Contacts.jsp
I'll send you an email address, if that would make it easier.
Narrower version of original diagram included, below
... so it doesn't wrap 'n jumble [du-oh!]
______________________________________________________________________
Previous message from Chris Buechler on 2008-02-07 at 1:36 PM -0500
----------------------------------------------------------------------
|I have a document that describes in detail the steps required to
|accomplish this, though not accessible right now. You're partially
|right, partially wrong. I'll put it online somewhere later.
|
|Bryan Derman wrote:
|> After searching the archives, the forum and conferring with Mr. Google,
|> I've not found anything about the best/correct strategy to use to support
|> multiple LAN subnets on a single LAN port.
|>
|> The Questions
|> =============
|> - is using address aliases the correct/optimal/best way to create the WAN
|> aliases?
|>
|> - if using address aliases is *not* the best way, what is?
|>
|> - if using address aliases *is* the best way, I assume that the commands
|> should be entered in a /etc/rc script:
|>
|> * if a /etc/rc script is the right way, what's the rc processing flow
|> on FreeBSD ... i.e., usually there's a standard script naming that will
|> automatically cause it to get included in the startup processing ... what
|> is it on this *NIX?
|>
|> * if a /etc/rc script isn't the right way, what is (I'm not familiar
|> with pearl or php but am very comfortable with shell scripting)?
|>
|> - are there any problems with the overall approach we're using, here?
|>
|> TIA
|>
|> Background Info
|> ===============
|> Graphically, we have (all addresses are "made up", LAN switches omitted)
|> ... view in mono-spaced font:
|>
Aliased IPs: Ultimately Mapped As:
+------+ 172.16.1.50 WAN : domain1.com : 4.4.8.4
| | 172.16.2.50 WAN2: domain2.com : 4.4.16.4
| | 172.16.3.50 WAN3: domain3.com : 4.4.32.4
|Server|---+ WAN 4.4.8.4
| | | +------+ +-------+ domain1.com
| | | 172.16.1.1| | |4.4.8.4| +-----+ +-----------
+------+ | 172.16.2.1| |-+ +-| | |
| 172.16.3.1| | WAN2 | | +---+ |domain2.com
+======+===+=======|pfSnse|-----------|Swtch|-|DSL|-+------------
| | |1.2RC4| 4.4.16.4 | | +---| | 4.4.16.4
+-----+ +-----+ | |-+ +-| | |
| Mac | .... | PC | | | | WAN3 | +-----| +-----------
+-----+ +-----+ +------+ +-------+ domain3.com
172.16.1.10 172.16.1.20 4.4.32.4 4.4.32.4
|>
|>
|> Being 2 small offices, our pfSense setup and requirements are relatively
|> simple:
|>
|> - we have a single LAN port and 3 WAN ports for 3 DHCP-assigned static
|> public IP addresses
|>
|> - since the DHCP assignment relies on a MAC address, we have the "normal"
|> WAN port plus WAN2 and WAN3 (i.e., OPT1 and OPT2)
|>
|> - Outbound NAT is set to "Automatic outbound NAT rule generation (IPsec
|> passthrough)"
|>
|> - all 3 WANs have ports mapped onto a LAN-resident server that supports
|> the web serving for the 3 different domain names via virtual hosts based
|> upon IP:port binding using the 3 different subnets (the server's single
|> port is aliased to reside on the 3 subnets)
|>
|> - the WAN port is the only one that sees any "general" LAN-resident
|> traffic (i.e., other than the traffic that's mapped to/from the server)
|> and the WAN2/WAN3 ports only see/allow traffic that's mapped onto the
|> LAN-resident server
|>
|> - I split our DNS services for private/public address access so NAT
|> reflection is not an issue (being a development shop, we have multiple
|> internal-only servers as well)
|>
|> - we have a second basic LAN/WAN-only pfSense at another office with an
|> IPSec tunnel running and we have PPTP configured
|>
|> What's Been Done
|> ================
|> What I've done is simply added address aliases on the otherwise
|> 172.16.1.1 LAN port via
|> ifconfig sk0 alias 172.16.2.1/24
|> ifconfig sk0 alias 172.16.3.1/24
|> (the Web interface then reports it as the last-added alias)
|>
|> The only rules are:
|>
|> - Port Forward: for each of WAN/WAN2/WAN3, allow incoming HTTP/HTTPS ...
|> e.g.:
|> allow TCP to port 80 on WAN2/4.4.16.4/domain2.com into 172.16.2.50 port 80
|>
|> - Firewall Rules: for each of WAN/WAN2/WAN3, allow inbound HTTP/HTTPS ...
|> e.g.:
|> allow TCP from any IP on any port in via
|> gateway/WAN2/4.4.16.4/domain2.com to 172.16.2.50 port 80
|>
|> - Firewall Rules: for each of the LAN subnets, allow all out via the
|> mapped WAN/gateway ... e.g.:
|> allow any protocol from 172.16.2.0/24 on any port to any destination out
|> on any port via gateway/WAN2/4.4.16.4/domain2.com (this could be more
|> restrictive for WAN2 & WAN3)
|>
|> This all seems to work quite well but I need to automate the aliasing, if
|> that's the end solution.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
