Hey all,
I can’t seem to figure this out.
Previously, I was on Comcast. They gave me a block of 5 IP addresses, I set the WAN IPv4 address to the appropriate ip with / 29. Set the IPv4 Upstream gateway to the appropriate ip. Then went into Firewall -> Virtual IPs and added each of remaining 4 IP addresses with /29 on each. I then was able to NAT requests coming in and port forward to the appropriate server in XCP-NG. That worked great.
I have moved to another ISP that gave me an IP for the WAN interface, and then 5 public IPs in a separate subnet. I believe this describes the situation https://docs.netgate.com/pfsense/en/latest/book/firewall/methods-of-using-additional-public-ip-addresses.html#small-wan-ip-subnet-with-larger-lan-ip-subnet but I’m not 100% sure. So I wall call my WAN IP 30.79.22.5 and a gateway of 30.79.22.1. I have a block of public ip addresses. We will call it 50.24.28.49/29. I just pulled those random numbers out of my hat, so I apologize if they are real and actually being used.
The new ISP suggested I “Do it the right way” and not NAT the servers. That they should be directly accessible from the internet. I’m not entirely convinced that is the “right way”. But to each his own. I’d rather port forward and let pfSense be my firewall. I am managing iptables on the linux servers though. So I’m not opposed to having them directly accessible.
I just can’t seem to figure out how to do either way with this new ISP and the block of IPs.
I have in the WAN interface my IPv4 address set to 30.79.22.5/24 and the gateway set to 30.79.22.1. Then I created another VLAN interface, called it PublicIPs (mvneta1.30) and set the static IPv4 address to 50.24.28.49/29 with gateway set to none. Next I enabled the the DHCP server for PUBLICIPS, gave it an available range of 50.24.28.54 to 50.24.28.54 and then added each of the 4 machine MAC addresses in XCP-NG to the static mappings 50.24.28.{50…53}. They each are successfully given their appropriate IP address. I have also added another VLAN and added the public machines as well as none public machines (ie: database) so all the machines have local only ip addresses as well. Added firewall rules to PUBLICIPS and the other VLAN that allow SSH.
I have added 4 virtual IP addresses:
50.24.28.50/32 on PUBLICIPS interface as an IP Alias
50.24.28.51/32 on PUBLICIPS interface as an IP Alias
50.24.28.52/32 on PUBLICIPS interface as an IP Alias
50.24.28.53/32 on PUBLICIPS interface as an IP Alias
I’ve tried adding NAT port forwarding rules such as:
Interface WAN
Protocol TCP
Source Address *
Source Ports *
Dest Address 50.24.28.50 () (from the virtual IP)
Dest Ports 22 (SSH)
NAT IP
NAT Ports 22 (SSH)
Still can’t access it. I’ve tried the NAT IP as both the internal and the public IP. No dice.
I have tried adding to the NAT 1:1 stuff like this:
Interface PUBLICIPS
External IP 50.24.28.50
Internal IP 50.24.28.50
Destination IP *
Still can’t ssh in.
The article I linked to earlier has a link to https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.html but I don’t see how that works in my situation. I still tried following that guide and no dice there either.
Does anyone see what I’m blatantly doing wrong? Any guides on how to do what I’m doing either using NAT port forwards or publicly exposing the servers?
Sort of related but also not related, I have another machine in XCP-NG running a VPN. I am able to connect just fine to that remotely. I have a NAT port forward rule:
Interface WAN
Protocol UDP
Source Address *
Source Ports *
Dest Address PUBLICIPS net
Dest Ports 1194 (OpenVPN)
NAT IP
NAT Ports 1194 (OpenVPN)
Could this be swallowing up any connection that is attempted on the PUBLICIPS interface? Even though I have it limited the VPN port?
Thanks in advance to anyone who read this excessively large post…
-bfcoder