On Mon, 2009-03-30 at 15:46 +1100, Morgan Reed wrote: > On Mon, Mar 30, 2009 at 3:08 PM, Kipton Moravec <[email protected]> wrote: > > We have two public /29's, one is used for our services (webserver and > such) and another is used to selectively expose internal machines on > public IPs for interop testing with remote vendors (we're a software > development firm) > > > Forgive me if this is a stupid question, as I am new to this, but I > have > > a DSL line with 5 static IP addresses. I want to use one WAN port to > > filter all 5 IP Addresses. I can not figure out how to set up the > WAN > > port to accept address XXX.XXX.XXX.109 - XXX.XXX.XXX.113. > > > > Right now I only have use for three of the static addresses. I have > two > > computers that needs to be seen at a static address for their > function, > > and I want the router to shut off all ports that are not necessary > for > > their operation. The third is a more typical NAT translation that it > > appears PF Sense was made for. > > Does it matter if the two systems that need public IPs have > (1:1/Server) NAT in front of them?
Yes. But I also want to block services that they should not be supporting. > I assume by "typical NAT translation" you mean individual ports? I meant more of case of multiple computers that only need to get out, and do not need to be accesses from the Internet. My terminology is not up to speed yet. > > This is how we have our DMZ setup > > * Public IP block: x.x.x.64/29 > * DSL Router is configured with IP x.x.x.65/29 > * pfSense is x.x.x.69 > * pfSense has ProxyARP VIPs set up on x.x.x.66-68 > * Server NAT to push x.x.x.66-68 through to the appropriate server in the DMZ. > > We do things a bit differently for our other public IP block > (x.x.x.216/29), it's purpose in life is to allow us to temporarily > expose internal systems on public IPs for interop testing with remote > vendors (we're a small software development firm). > > * pfSense LAN interface has an alias assigned to it in the public > block (x.x.x.217) > * firewall rules are created to allow appropriate access from > x.x.x.216/29 to WAN > * firewall rules are created to allow appropriate access from WAN to > x.x.x.216/29 > * clients are configured with an IP from the block and a default > gateway of x.x.x.217 > > Assigning the alias to the LAN interface is a hack, it's not supported > through the WebGUI, details are in here; > <http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf> > > Morgan O.K. I think I am missing something basic here. If I specify the WAN interface as x.x.x.208 /29 Then my firewall Card sees all 8 addresses. x.x.x.208 to x.x.x.215 My PFSense Firewall is x.x.x.209 Then my firewall rules can specify what to do in the specific cases of x.x.x.209 x.x.x.210 x.x.x.211 x.x.x.212 x.x.x.213 Is that how it works? Kip -- Kipton Moravec AE5IB .- . ..... .. -... ============================================== Four Way Test Is it the Truth? Is it Fair to all concerned? Will it build Goodwill and Better Friendships? Will it be Beneficial to all concerned? - Herbert J Taylor (1932) --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
