I have a /27 pool of ip. All the IP are set as virtual IP in pfSense and I use NAT port forwarding to redirect public IP to internal network. I now have a scenario where I want to lease a server in our rack to a friend and I would like them to be able to use 1x of my public IP with no firewall rule. I want it wide open to they can then in turn spin up a pfSense VM on their xcp-ng Host.
Could anyone advice on how I can get my public static IP to the host behind pfSense? Do I need to use bridge network our routes?
Thank you all in advance
@LTS_Tom We use a High Availability cluster and when we follow the link to High Availability Configuration Example without NAT it does tell me how to set it up. I understand the diagram and all but how do i set it up?
I don’t have a write up on that.
@LTS_Tom I have been working on this and done a lot of reading and here is my latest update.
The datacenter told me that I have 1vlan where they send all my public subnet allocated to me to.
In pfSense, I have setup my HA and all that part is working.
Setup 1 (working):
I disconnected the uplink from the pfSense appliance and connected it directly to the switch. Then I connected from the swich back to the pfSense wan and this way I can now get xcp-ng vm to get all the public ip From my /27 and /29 subnet and do port forwarding for all my internal network servers.
Although this solution is working we would rather have everything behind the firewall so we can do IPS/IDS port blocking etc. Like in this diagram (not in HA but to show the idea of what I want)
Setup 2 (not working)
We connected the uplink cable back to the firewall wan and now, none of the VM are able to ping the internet
Setup 3 (not working)
We kept the uplink connected to the firewall and created a new vlan101. We then created a new interface with the first usable IP if the /29 subnet. In xcp-NG, we created a new network with vlan101 and assigned it to the VM. The VM is not able to ping the internet.
Does it matter that the gateway for both subnet are not the same is they are sent to the same vlan in my rack?
Could anyone please help me further in this issue?
@mas thank you for the link but they don’t match y requirements. I have however managed to get support.
The two options are as follows:
Ask datacenter to route all subnet to the Wan VIP. This way, you can use the public IP begin pfSense
Using proxy ARP
Create a virtual IP as proxy ARP and set the subnet you want to use. Then create a new interface and use any usable IP as gateway.
If I get time I’ll try to write a how to. Hope this helps someone