Public IP Usage – Using a Public IP for Select Hosts in a LAN

iplansubnet

I have a small company and we just started out. Given our size, we really can't get a dedicated network guy for now. Recently, we moved to a lease line of our own for reliability. This is the information I was provided with (the addresses mentioned here are just examples, obviously):

IP Address WAN: 35.34.33.70
SUBNET MASK   : 255.255.255.252
GATEWAY       : 35.34.33.69

LAN POOL IP   : 35.34.33.88/ 29
START IP      : 35.34.33.90
END IP        : 35.34.33.94
BROADCAST IP  : 35.34.33.95
SUBNET MASK : 255.255.255.248
GATEWAY :106.51.238.89

I setup my router, to basically have a NAT, which assigns all devices that connect to the router to get a 192.168.1.X IP address. The router's IP is set to the IP Address WAN given above and the gateway/subnet mask that was provided for the WAN. Everything is fine, and all devices have internet connectivity and local networking is working just fine. This is how my setup looks like:

+-------------+     +--------+     +---------+
| Set-top box | --- | Router | --- | Devices |
+-------------+     +--------+     +---------+
                        |          +---------+
                        +--------- | Devices |
                                   +---------+

The set-top box has only 1 ethernet cable. I have a couple of questions:

Are the 'LAN pool ips' publically accessible (it looks to me that they are).
Can I give one of the devices connected to my router one of these public ips? One of the device uses 192.168.1.187 and we use it from external networks by setting up port-forwarding on the router.
What is the exact distinction between the LAN POOL and the WAN. I am not sure I entirely understand this distinction. The last part of the IP in WAN is '70', in gateway is '69', and in the pool, the IPs are from 90-94 with 95 as broadcast. The remaining part is exactly the same for all the IP addresses. What is the significance of this?

Sorry about the long post, and thank you for helping me out!

Best Answer

Answers to your questions:

Yes, they are public IPs
Yes, you create a static translation between 192.168.1.187 and one of your pool addresses. The details depend on the specific hardware you have.
The IP address WAN and gateway are the network that connects you to your provider. The WAN pool is a network of IP addresses that you can use for your devices. They are two separate networks. Although it usually doesn't matter, you would normally translate your internal addresses to one of the WAN pool addresses.

Related Solutions

How to Bypass NAT for LAN to Use Public IP Addresses

I am not sure if this is recommended but yes you can achieve it.

The reason you needed NAT there as you cant assign same subnet's IP on R2's access facing LAN interface, if you could , then you could use the same subnet , right?

192.168.1.1/24 .2/24
R1(PE -ISP) ------> R2 (CE) -----> R3 (access- internal)

So, you can achieve it by BVI, config is as below, its simple

bridge irb
bridge 1 protocol vlan-bridge
bridge 1 route ip



interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 bridge-group 1
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 bridge-group 1


interface BVI1
 ip address 192.168.1.2 255.255.255.0

you can change the IP address and interface as per your scenario.

Let me know if any question/issue or how it goes. Sorry, if i misunderstood your question.

Regards, Lalit

pfSense – Assign Public IP of /29 Block Directly to a Connected Device

I found my answer in the pfSense The Definitive Guide Version 2.1.

Small WAN IP subnet with larger LAN IP subnet

Some ISPs will give you a small IP subnet as the "WAN side" assignment, and route a larger "inside" subnet to your end of the WAN subnet. Commonly this is a /30 on the WAN side, and a /29 or larger for use inside the firewall. The provider's router is assigned one end of the /30, typically the lowest IP, and your firewall is assigned the higher IP. The provider then routes the LAN subnet to your WAN IP. You can use those additional IPs on a routed interface with public IPs directly assigned to hosts, or with NAT using Other VIPs, or a combination of the two. Since the IPs are routed to you, ARP is not needed, and you don't need any VIP entries for use with 1:1 NAT. Because pfSense is the gateway on the OPT1 segment, routing from OPT1 hosts to LAN is much easier than in the bridged scenario required when using a single public IP block. Figure 10.25, “Multiple public IPs in use — two IP blocks” shows an example that combines a routed IP block and NAT. Routing public IPs is covered in the section called “Routing Public IPs”, and NAT in Chapter 11, Network Address Translation.

So I made a spare interface OPT1 and assigned it one of the public IP addresses. Hung a small five port switch off OPT1 and plugged in my servers to it. The servers were then assigned a public IP address with the gateway set as the IP of OPT1. With this, I had to sacrifice one of my public IPs but I was able to directly assign a public IPs to servers on OPT1. At the same time, I was able to continue to use the rest of the spare public IPs as I did before with 1:1 NATs through to servers sat on the private LAN.

The rest of the setup was just setting up firewall rules to allow OPT1 <--> WAN.

UPDATE: Another step that is needed, is that any automatic outbound NAT rules need to be deleted for your public IP block. If they are not deleted the outbound NAT rules will make the public IP's go out as your WAN public IP rather than their own IP.

As noted in the manual here: https://docs.netgate.com/pfsense/en/latest/interfaces/using-public-ip-addresses-on-an-interface.html

Best Answer

Related Solutions

How to Bypass NAT for LAN to Use Public IP Addresses

pfSense – Assign Public IP of /29 Block Directly to a Connected Device

Related Topic