Setting up virtual IPs in PFSense for internal servers
- Aim: setting up virtual IPs as an alternative to bridging to the wan to provide better server security.
- Environment tested: PFSense 1.2
For the longest time, I have been using Monowall to serve my firewall/routing needs. When I moved to my current provider and a range of fixed IP addresses, I upgraded to PFSense, which is based on Monowall but provides added functionnalities and better performance graphing. Here’s how the ressources are running on my network:
I have been successfully running this NAT setup using virtual IPs for a long time, so I'll share how I got mine working. My thanks go to Eddy Howard at Micro Quantum, who provided me with a lot of help when I was racking my brains as to how PFSense was handling some of these tasks.
Requirements:
A working PFSense server, a DSL connection supporting/providing a range of IPs, internal server(s) with multiple IP addresses.
�
THE ACTUAL RECIPE
STEP 1
You'll need to define your Virtual IPs, which actually are your WAN's external IP addresses. Open a browser session to your PFSense system's IP address, log in and select the Firewall - Virtual IPs submenu. You will be presented with the following screen:
�
Select ProxyARP for the type, WAN for the interface, single address for the Type field, enter the external IP address in the Address field (selecting single address in Type automatically assings a subnet mask of 32 - single host), leave the Virtual IP password field blank, and make no modifications to the VHID Groupe or Advertising Frequency fields. I suggest you put something that will help you remember what the virtual IP is for in the description; in my setup, I' ve put down "Virtual IP to server name xxxxx" so I keep track of what's what.
Repeat this process for each of your external addresses (I did it for each of the 16 fixed IP addresses I have allotted by my ISP). You'll need to click the Apply Changes button to save the modifications to your PFSense system.
STEP 2
Now that you've created your virtual IPs, you'll need to create NAT rules so that those external IPs correctly NAT to your internal systems. Select the Firewall - Nat submenu, you'll need to click the plus sign at the bottom of the rules list to add a new rule. You'll see the following screen:�
Select the WAN option in the Interface drop down menu. In the External address field, select one of the virtual IPs you created in step 1, select which protocol type you wish to NAT (tcp, udp, tcp/udp, etc.), the external port range (there is an extensive set of presets, you can select other if you want to NAT something different, like a custom web port or an unlisted gaming server, etc.).
In the NAT IP field, enter the internal address of the server you want to route/NAT the traffic to, then on the local port, specify which application port you are sending the traffic to (selecting a preset on the WAN section usually assigns the same preset to the LAN/NAT IP section, but you can override this manually if you'd like - or should your application require it). Enter a description so you know what the rule is for, make sure the Auto-add a firewall rule to permit traffic box is checked, then save. Remember to apply changes to make them active.
�MAKING IT ALL WORK AND TESTING IT
From a regular modem dialup connection (or, if you have access to a friendly neighbour who lets you share his wireless connection - please get permission for this, it's actually considered a felony in certain parts of the world to get a free ride on someone else's internet connection without consent), launch a web browser session and go to the external IP address of the system you've just "natted". You should successfully connect to the site.
Assuming Apache (or, heaven forbid, IIS) is running on it and you've posted some content, you should get the default web page.
Comment:
All that’s left is making sure DNS resolves your site’s address. I heartily recommed using DynDNS as a DNS service, it's real easy to use to add entries as your environment grows, and isn’t all that expensive per year.
�