dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
7026

George S
@comcastbusiness.net

George S

Anon

[Business] SMC8014 Setting up IPs in pFSense

I just had Comcast Business Class w/ 5 IP block installed.

I'm trying to configure the IPs to route through pfSense

1. I've assigned pfSense to a static IP out of the 5 block I was assigned.
2. I've set up virtual IPs for the other 4
3. I've set up port forwarding for one of the IPs to my terminal server.

I try to connect via rdp to the terminal server using the public IP and no joy.

My questions are this....

Is there a tutorial or something for setting up Comcast with pfsense for natting to internal servers.

I'm relatively new to pfSense so I just need a good starting point and my google foo isn't turning up anything.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ

Premium Member

(coax cable)
8014 in "true static mode"
(ethernet cable)
pfSense box eth0
pfSense box eth1
(ethernet cable)
switch
(your local network)

the pfSense box is going to be your router, so on the WAN side (what I call eth0 above) it should have the entire block assigned. Then, on the LAN side (eth1 above, your local lan GW), you'd 1:1 NAT a static public IP to a static private IP (or port forward, or however else you want to set up your network) - so in your example, let's say your LAN is 10.0.0.x, and you statically assign .10 thru .13 to your VMs. In pFsense you'd map each private ip to a public static ip.

Otherwise, the only thing you'll be able to "see" from outside is the one static IP you assigned to pfsense.

Note, that INSIDE your lan, you can't loop back (usually) so referring to your static IPs isn't going to work from inside. Unless pFsense does the loopback correctly, which most routers don't.

I use linux for routing, should be more or less the same, but if someone with actual pfSense experience wants to chime in

pflog
Bueller? Bueller?
MVM
join:2001-09-01
El Dorado Hills, CA

pflog to George S

MVM

to George S
So let me see if I understand your setup and what you want to accomplish. Please correct me if I'm wrong, but your network looks something like this, right? I'm using a.b.c.184/29 as an example IP block for the 5-static setup (/29, 5 usable addresses) and 10.0.0.1/24 for the LAN. Just replace those with whatever your /29 block is and whatever LAN RFC1918 addresses you want to use.

        SMC(WAN iface=a.b.c.190)
         |
(external NIC=a.b.c.185, aliases for a.b.c.186-a.b.c.189)
         |
     pf_sense
         |
(internal NIC=10.0.0.1
         |
   switch_or_wap
   |           |
 (nat)         other clients...
   |
   |
  windows(NIC=10.0.0.100)
 

And what you're doing is trying to connect to the windows box @ 10.0.0.100 on your LAN via one of the public IPs (a.b.c.185 - a.b.c.189) via port 3389?

What you need to do is the following:

1. Set the SMC into "true static" mode in which you disable all NAT, DHCP, firewalling, etc. This is important so that you aren't doing double NAT and don't have to fiddle with the SMC to forward ports or unblock firewalled ports.
2. Set the pfsense box's default gateway to a.b.c.190 and assign a.b.c.185 to the external NIC on the pfsense box
3. Set the pfsense box's internal NIC to some RFC1918 address/subnet (e.g. 10.0.0.1)
4. Run DHCPD on the pfsense box's internal NIC for the LAN subnet you choose or use statically assigned LAN IPs for all your device(s) if you so choose. YOu can set dhcpd to hand out the same IP each time by MAC address, which is what I do. So my IPs are obtained via DHCP, but are always the same IP.
5. Setup pfsense to forward port 3389 from a.b.c.185 to the LAN at 10.0.0.100 (or whatever IP you get from DHCPd or assign statically to the windows box either manually or via DHCP)
6. Ensure port 3389 is allowed on pfsense inbound for a.b.c.185.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ

Premium Member

sounds right

I'm worried about his step (1) in his OP. You have what I said, that all 5 IPs are associated with the WAN interface, one assigned, 4 as aliases. I'm thinking he's only got 1 static assigned on the WAN side and then tried to put the rest of the static on the local lan side, which isn't going to work.

Or not. Not clear on what he means by virtual IPs. Anyway, the mapping from external static to internal nat ip is the bit that makes the magic happen.
bman212121
join:2005-06-09

bman212121

Member

In PFSense you can assign a Virtual IP to an adapter so the box can have multiple IPs on the same network card.

There are two ways I believe you can configure it in PFSense. Use it in transparent mode to route the IPs much like the SMC does, or you can probably assign all 5 to the Wan interface and then use NAT to port forward.

JohnInSJ
Premium Member
join:2003-09-22
Aptos, CA

JohnInSJ

Premium Member

said by bman212121:

In PFSense you can assign a Virtual IP to an adapter so the box can have multiple IPs on the same network card.

There are two ways I believe you can configure it in PFSense. Use it in transparent mode to route the IPs much like the SMC does, or you can probably assign all 5 to the Wan interface and then use NAT to port forward.

Ok, same as linux (pfsense is bsd-based, no?) - I've got all 5 statics assigned to my outward facing ethernet card (connected to the SMC) and then use iptables for routing/firewall/nat/whatnot
bman212121
join:2005-06-09

4 edits

bman212121

Member

Yes exactly. PFSense uses Ipfilter as the backend. If I understood it correctly iptables is the front end for netfilter, which is the part that filters traffic. So IPfilter = netfilter in linux and PFsense provides the same function as iptables. (And other functionality)

@ George: Here is a good page on how to setup PFsense:

»www.digitalphotomac.com/ ··· rtualIP/

Set the other 4 IPs as proxy arp in the virtual IP list. Then use NAT to map those to internal IP addresses. I don't think you want to use 1:1 NAT if you just need to port forward web traffic or a couple of things like that as 1:1 NAT should forward all ports.

JigglyWiggly
join:2009-07-12
Pleasanton, CA

1 edit

JigglyWiggly

Member

tc, if you need help, post in the pfsense forums ...

I have no issue with port forwards and internal routing with pfsense, and I have a tri modem configuration, so I am not using virtual ips though.

JDCynical
Always Mount A Scratch Monkey
join:2002-01-09
Beaverton, OR

JDCynical to George S

Member

to George S
said by George S :

I just had Comcast Business Class w/ 5 IP block installed.

I'm trying to configure the IPs to route through pfSense

1. I've assigned pfSense to a static IP out of the 5 block I was assigned.
2. I've set up virtual IPs for the other 4
3. I've set up port forwarding for one of the IPs to my terminal server.

I try to connect via rdp to the terminal server using the public IP and no joy.

My questions are this....

Is there a tutorial or something for setting up Comcast with pfsense for natting to internal servers.

I'm relatively new to pfSense so I just need a good starting point and my google foo isn't turning up anything.

I have this exact setup.

My connections are like this:
SMC 8014 -> WAN interface on the PFSense machine -> internal networks

Turn off all the extra router stuff the SMC offers:

  • ->Disable Firewall for True Static IP Subnet Only

  • ->Disable Gateway Smart Packet Detection

  • ->Disable all Port Forwarding rules

  • ->Disable all Port Triggering rules

  • ->Disable all Port Blocking rules

  • ->Disable all rules and allow all inbound traffic through

  • ->Disable web site blocking

  • ->Disable DMZ host

  • ->Disable all 1-to-1 network address translation



Pick one of your static addresses and assign it to the physical WAN interface

In the PFSense UI:
Firewall -> Virtual IP's -> Virtual IPs tab
Click the 'add IP' button
In that page, I have the following set up:
Type: CARP (Proxy ARP will also work and doesn't need as many configuration settings)
Interface: WAN
IP Address(es): Type- Single address, Address- one of your public IP's
Description: Whatever you want

Save and powercycle the SMC, you are done. From there, it's all about the port forwarding and firewall configs.

See »doc.pfsense.org/index.ph ··· esses%3F for a description of the differences between CARP, Proxy ARP and 'other' in the VIP page. I'm using CARP as I plan on setting up a failover config when I'm able to get a spare box.