Thanks for the ideas! It's working with the exception of a traffic shaping
problem.
What I did to set this up is
1. Bridged the OPT interface with WAN, leaving all other fields blank
2. Created a rule on the tab of the OPT interface to 'pass' 'any' protocol
3. Attached the host to the OPT interface, and assigned the appropriate IP
info.
I notice that my upstream traffic is shaped (as expected) but that the
downstream traffic is not (unexpected). This presents a problem for VoIP
(although serendipitously it's the more sensitive upstream shaping that IS
working at the moment).
My first thought was "oh yeah--DUH, the shaping queues are in layer 3,
bridging happens in layer 2", but then It occurred to me that the upstream
traffic IS actually being shaped. Confused again.
The only theory I could come up with is that the upstream traffic is getting
shaped BECAUSE the host on the bridged OPT interface routes to the default
gateway IP address, and therefore those upstream packets have IP addresses
that match directives in the queues. Am I on the right track? Therefore,
thinking the shaper needed an IP address to identify the traffic to shape I
tried simply putting the public IP address (of the host connected to the
bridged optional interface) in the 'penalty box' of the shaper. You
probably already know that this didn't work. Is this a the right theory
without the right execution? Do I need to tie in a 'Virtual IP' somehow?
So close! I would love a nudge in the right direction.
Thanks!
If this can be made to work it will eliminate the need to buy 4 Juniper
routers!
-Karl
----- Original Message -----
From: "Chris Buechler" <[email protected]>
To: <[email protected]>
Sent: Thursday, December 31, 2009 1:19 PM
Subject: Re: [pfSense Support] 1:1 NAT - bind actual external IP to an
optional interface?
On Thu, Dec 31, 2009 at 9:52 AM, Karl Fife <[email protected]> wrote:
Like many, I use 1:1 NAT to give one of my public IP address to an
internal
host. This works great for certain applicatons where the host (such as
Asterisk) is 'smart' and can be made aware of the fact that the IP address
bound to its own network interface differs from the one the outside world
sees and should direct traffic to. In the case of Asterisk which must know
its external IP to properly write SDP headers, Asterisk will look to
the configured external IP address instead of the one it actually sees
bound
to its own NIC. No problems!
The problem arises when you've got a 'dumber' host that needs to function
EXACTLY like it has an actual external IP address, but where the traffic
needs to flow through pfSense (for shaping, policies, IDS/IPS). I
sometimes
also wish that certain hosts with external addresses NOT have an internal
address in the event that they become compromised/rooted etc.
Naturally It would be ideal to bind the external IP address directly to an
optional interface. My understanding (possibly wrong) is that this was not
possible (at least) with embedded 1.2-release. Has anything changed in the
1.2.1 or .2 or .3 release that would make this possible?
That's always been possible. Exactly how depends on how many public
IPs you have. Nathan's suggestion will work where you want it on your
LAN, though that violates the "NOT have an internal address" noted
above. You can either add a public IP subnet on an OPT interface, or
bridge OPT to WAN.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
