On Mon, Mar 30, 2009 at 3:08 PM, Kipton Moravec <[email protected]> wrote:
We have two public /29's, one is used for our services (webserver and such) and another is used to selectively expose internal machines on public IPs for interop testing with remote vendors (we're a software development firm) > Forgive me if this is a stupid question, as I am new to this, but I have > a DSL line with 5 static IP addresses. I want to use one WAN port to > filter all 5 IP Addresses. I can not figure out how to set up the WAN > port to accept address XXX.XXX.XXX.109 - XXX.XXX.XXX.113. > > Right now I only have use for three of the static addresses. I have two > computers that needs to be seen at a static address for their function, > and I want the router to shut off all ports that are not necessary for > their operation. The third is a more typical NAT translation that it > appears PF Sense was made for. Does it matter if the two systems that need public IPs have (1:1/Server) NAT in front of them? I assume by "typical NAT translation" you mean individual ports? This is how we have our DMZ setup * Public IP block: x.x.x.64/29 * DSL Router is configured with IP x.x.x.65/29 * pfSense is x.x.x.69 * pfSense has ProxyARP VIPs set up on x.x.x.66-68 * Server NAT to push x.x.x.66-68 through to the appropriate server in the DMZ. We do things a bit differently for our other public IP block (x.x.x.216/29), it's purpose in life is to allow us to temporarily expose internal systems on public IPs for interop testing with remote vendors (we're a small software development firm). * pfSense LAN interface has an alias assigned to it in the public block (x.x.x.217) * firewall rules are created to allow appropriate access from x.x.x.216/29 to WAN * firewall rules are created to allow appropriate access from WAN to x.x.x.216/29 * clients are configured with an IP from the block and a default gateway of x.x.x.217 Assigning the alias to the LAN interface is a hack, it's not supported through the WebGUI, details are in here; <http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf> Morgan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
