I have a new Xen installation on which I want to run virtual machines.
My hoster provided me two separate IPs in different subnets, say x.x.x.x and y.y.y.y.
I want to set up pfSense on Xen and assign y.y.y.y to it so that it would serve as a router and DHCP for other virtual machines, giving them addresses in 192.168.0.0/16 subnet. Is it possible to do so? How should I configure network on Xen to do that?
I've set up packet forwarding in sysctl
net.ipv4.ip_forward = 1
and now pfsense can ping and traceroute resources in internet. But obviously is is unreachable from internet by its ip y.y.y.y
Best Answer
To clarify, x.x.x.x and y.y.y.y are both public IPs? so you will use x.x.x.x as your public facing IP that you can access externally, but you want to block the internet from reaching y.y.y.y?
while this is slightly offtopic right here, i would suggest (if you have 2 nics) created a bonded channel so you have some redundancy with your 2 public IPs.
For your internal side where you want to provide "routing" (is this a nat gateway?) and dhcp, you should probably use a private ip. you would need them to be in the same network and with only 2 IPs, you wouldnt have anything for your other virtual machines.
to your specific question though, the answer is yes, you can do this. when you setup pfsense, there is a config tool and it will ask you some questions about your network. if you are using the vm ovf then in the 'notes' of the vm it tells you how to set it up. regardless just go through either the web gui or the command line questions. tell it your external IP, your internal subnet (192.168.0.0/16)
that all being said, by default pfsense allows outbound nat between your LAN and WAN.
The below will show all auto-created rules, which you can delete if you need to customize them.
sidenote: be advised that in a xen environment, unless this changed, you are limited to 100Mbps on the vnics you get. I'm not sure if this is still the cased as I swapped to esxi because of it.
I would like to get some clarification. Is your x.x.x.x accessible from the internet? I see you mentioned that you can get out. If you can not get back in, this could be a firewall issue.
Are you able to access the internal (or external) interfaces from anywhere? By this i mean, can you bring up the GUI? Assuming that your internal network is on RFC1918 space, ensure that your internal interface of pfSense is also on this same network. Verify by ping and ensure that you let pfSense know this is your internal interface. You should be able to browse to it with your choice of browser.
Once you are in the gui, you will see things similar to home routers. You can set up port forwarding and tweak the NAT settings. By default pfSense NATs your internal network out but without any port forwarding.
I guess I am still confused on whether you have external access? If you are able to get out from your pfSense box and you can ping your internal network, assuming you didn't touch NAT it should work. Can you elaborate a little more on your current configuration? You cannot use y.y.y.y as your internal interface (unless you perhaps use a sub-interface that your lan can speak to and nat that to y.y.y.y but that's a little ridiculous)
LAN (192.168.1.0/24) -> pfSense Internal (192.168.1.254) -> NAT -> pfSense External (x.x.x.x) -> Internet.
return traffic will only be allowed based on your inbound firewall rules and port forwarding.
to assist more, can you do the following:
from your pfSense, paste your ping to google.com from your pfSense, paste a ping to one of your internal lan machines
be sure to redact your public IP :)