I have seen the videos on youtube but most situations are not similar to my use case. I just need some basic advice on the WAN/OPT1 interface setup if anyone would be so kind.
I am renting 1/4 of rack space from a co-lo company. I have about 8 servers on a cisco 3xxx basic switch. It does not have an ip address to my knowledge. They have given me a /27 network of ips. That means I have about 32 ips on the internet. I want to protect all of these ips with my netgate 7100 appliance. The co-lo employees have not been super helpful. They mentioned something about giving me a /30 network (2 ips) to “build a link”.
I think what I want to do is plug my internet cable from the co-lo facility into EHT1 and this is the WAN interface. The main issue I have is that i don’t know what ip address to give the WAN interface. Can I give it any of my 32 ips from the /27 group? Or should i use one of the ips from a separate /30 group. How do i bridge this traffic to OPT1. A floating firewall rule? I think I should connect my cisco swtich to ETH4 and make an OPT1 interface for this physical port. Again what ip address should i put for the OPT1/ETH4 interface where the cisco switch would plug in. I think all of my /27 network should be here on the cisco switch.
Any help is greatly appreciated. Thanks, --jake
I think we need a diagram and more information to fully understand what you are after.
- They gave you a /27, but the co-lo company is only wanting to give you a /30?
- What are you trying to accomplish by bridging the /30 with the /27?
- What is the Goal?
Just taking a guess, the cisco switch would probably be passing all your /27 IP’s on 1 port so you should be able to go from the switch to pfsense WAN and you can set any IP address you like. You’ll need to know which IP address is the gateway and you’ll need to set the WAN subnet to be /27. Another assumption is the co-lo employees are trying to give you a /30 because all you will need a public IP, gateway IP and broadcast. But if you are trying to handle the entire /27 then they need to give you the entire /27.
Hi xMAXIMUSx, thanks for your reply. I am including a diagram. I just want to protect my 32 public ip addresses with firewall rules. I have a /27 network the co-lo gave me several years ago that I have been running. Right now the physical network drop plugs into the cisco switch. I need to insert the 7100 hardware so it protects everything.
- I already have the /27 network and they suggested to add a /30, i assume they meant to provide an additional ip address for the WAN interface. He just said to “build the link”
- I am open to any configuration. I am just looking for an efficient working config. I assume traffic must enter on the WAN interface and then flow to the OPT1 interface.
- The goal is just to have a firewall for my /27 network. (The 32 public ips I am responsible for.)
The main thing I am not understanding is what ip address should i use for the WAN interface. Can it be one of my 32 public ips or does it need to be a separate ip coming from a /30 network? What ip address should i use for OPT1 interface. Can it be one of my 32 ips?
I assume the last step is to setup a rule so traffic can flow from WAN to OPT1.
thanks again, --jake
I think I get it now. Yes you would use one of your public IP’s from the /27 and one for the gateway for internet access. Once internet access is working you’ll do the following to manage all the IP’s.
- Go to Firewall → Virtual IPs
- Click Add. Select IP Alias, WAN, Single Address, then type in one of your static IP addresses and subnet mask (/27 in this case).
- Repeat for each static IP address you have.
- Go to Firewall → NAT → Outbound
- Select “Hybrid Outbound”
- Click Add. Select WAN, IPv4, Protocol: Any, Source: [Input subnet here], Destination: Any.
- For Address, select the Virtual IP you want your source subnet to be SNATed to.
- Apply changes.
- From the machine on the subnet you just SNATed, go to Google and type “what is my IP address” in the search window. If it reports back with the Virtual IP you SNATed it to, success!
Awesome, thank you so much! i will try it this weekend. The main question I have now is how do I configure the OPT1 interface for ETH4. (where I will connect the cisco switch.) Can i leave this with no IP address? I noticed that if i choose “ipv4 configuration” of “none” it does not ask for an ip address or gateway. Is that what i want to do here?
From the OPT interface you would setup your LAN (Private IP space).
Hmm… I don’t want any LAN space at this time. All my ips are public. Is that not possible with netgate? That is one of the main issues i have is that the netgate appliances seem to be built around this idea of a private home network. Maybe I need to revisit the design?
Anyways, I went in to the co-lo today and I left OPT1 without any ip address / network info. I think I was able to follow the directions you gave me correctly. Thanks for the detailed steps. I found 3 issues.
-
When i plugged in the internet cable into ETH1, the physical port is lighting up amber / orange LED instead of the green LED. I am not sure what this means. I tried searching google with no luck. Ping works. SSH does not work.
-
When i type in the ip address of any of my websites in a browser I get the login page for pfSense. https://x.x.x.x I know Tom talked about changing the admin page port to avoid home networks doing this. Not sure why its doing this for me.
-
SSL stuff is not working. This may be related to #2. When I type any of my domains in a browser, https://my.domain.com I get an error about “Potential DNS Rebind attack detected”. I was able to find this issue documented on the internet and I found 3 suggestions related to NAT. But I feel like issue number 2 is more important to look at first.
Thanks for any further advice you have. --jake
Ahh now there is the missing link. In that case I think this article will explain a lot and probably why your co-lo wanted to give you a /30.
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html
Awesome!! Yes, this sounds exactly like what i want!! I have requested the /30 address from my co-lo company. They probably won’t respond until monday. I will give this a shot and report back. Thanks again! --jake
Just to update you. Today, I setup everything exactly like the netgate link above describes for public ips. I even created a lan network for ETH2 so I could plug in my laptop. The co-lo guy says the amber light for ETH1 is ok because their network drop is 100Mbps, so this is normal. The co-lo guy provided one ip address for the /30 network and its default gateway.
The good news is that when my laptop is plugged into the lan interface everything works. The bad news is that nothing external can access my servers. Attaching my laptop to OPT1 network, I am able to ping the servers and load websites but I am not able to ping the default gateway. This should not require any firewall rules to ping the default gateway. I know its not much to go on, but wanted to update you.
I feel the the issue might be related to this interfaces/switch/vlans page. I was fooling with this and I really don’t understand how this works. Can you take a look and see if you see anything out of place here. Do you know what the “members” column is referencing? I don’t believe i need any vlans?
Tom has a really good video on explaining the switch configuration on those types of pfsense models.
Here is the documentation for that also.
https://docs.netgate.com/pfsense/en/latest/solutions/xg-7100-1u/configuring-the-switch-ports.html#switch-section
Hope this helps with understanding the configuration. 
Thanks alot for the links. I think i have the interfaces/switch/vlans page setup correct now. I put only the port number and 9t,10t. I found the link to the netgate documentation the most helpful with specific 7100 examples. Thank you.
The bad news is that my issue continues. I still don’t have external access to the /27 OPT1 network from the internet. I found under diagnostics/arp table that it lists the default gateway for the /27 network as “(incomplete)” for the MAC address column. This is consistent with what I experienced not being able to ping the default gateway when adding my laptop to the /27 OPT1 network.
** update. Ok i found in the documentation in the netgate example above, the default gateway should be left “none” for the OPT1 interface. I also see that they used the first addressable ip for the OPT1 interface ip. I set mine to this as well. It did not resolve the issue.
I think my issues with OPT1 are based around the static IP’s. My hosts are setup with x.x.x.225 as the default gateway. My co-lo company has informed me this goes away now. The default gateway is part of the /30 network now on the WAN interface. LAN is using DHCP and seems to be able to access the default gateway without a problem. Should I change the default gateway on my hosts (servers) to match the ip address of the OPT1 interface. This is x.x.x.228. (The first addressable address in the /27 network). If not what do i use for a default gateway in OPT1? Any thoughts appreciated. thanks.
Resolved! The interface ip is the default gateway for the OPT1 network. (Any network that does not have an actual default gateway, use the pfsense interface ip). I could not find information about how to setup static ips anywhere with netgate/pfSense. Also an additional rule was needed not listed in the original article from netgate. We need a rule on the WAN interface with source * going to destination OPT1. Thank you for help xMAXIMUSx. Really appreciated it!
