Hello!
So I wanted to run this by some peoples and see what your advice is.
What I have is 6 Static WAN IP's.
What I have configured is 6 vlans w/ 6 DHCP Servers and 6 Interfaces in Switch Mode associated to its respective vlan.
Each Interface is running with a DHCP Servers to its respective vlan.
I have NAT and ACL's doing all what I need.
My question is, is this practical?
Should I have 1 Network and just NAT whatever WAN IP to whatever LAN IP would utilize it?
Should I have 1 Interface TRUNK 6 vlans to a Switch?
I just don't know how to do this practically. Would in theory each interface be ROUTED mode and have a switch at the end and run its own DHCP Servers?
Yeah it's a lot for home user but a lot of it is to experiment with. I have 6 switches to play with so wanted to kinda have fun. But also kinda stuck with vlan SVI interfaces or Routed interfaces and then 6 separate networks or 1 network using WAN to LAN IP on a need basis.
What do you want to do with these 6 IP addresses? Do you have 6 different public services with oerlapping ports? You can use inbound NAT port forwarding to direct e.g. 80 and 443 for each IP address to 6 different internal servers.
Now if you need only a single network for all of these or 6 different VLANs depends on the question if these servers trust each other. If they are all managed by you, I'd say a single network is probably enough.
6 different customers in a hosting environment - 6 different VLANs.
This seems a bit like a solution looking for a problem. Just because you have 6 usable public IP addresses doesn't mean must use all of them. I'd suggest focusing on getting your day-to-day internet access working using one public address, and keep the others in your pocket for other uses as they arise. Certainly experiment with them as you wish, but it seems rather pointless to configure all 6 the same way - what would you learn by doing that?
Morning
I know, a lot of it is unnecessary. Really it only is like this because I've had the block of 8 static ips for 20 years and my isp does not sell static ipv4 IPs anymore, not even sure many places do either, so I don't wanna cancel them. I do have 4 domains registered to 4 of the 6 IPs and I do use those for email servers (each 1 on a VM) and a web server etc. so the different WAN IP's are legit.
I just was having fun by making a vlan for each WAN to LAN (Network), no reason.
I was just sitting one day thinking, is this practical or better yet, is this the legitimate way this would be done. Would there be a vlan for each WAN/LAN or would it be 1 LAN and NAT to whichever WAN/LAN ip needed specific association.
As far as can these networks be trusted together? I mean, yeah, they are all at home. Why not.
But then there is "well it is an email servers, would I want any of my friends with accounts some sort of access to my other servers?" So then I made different networks. It just got big and bigger.
Everything works, I'm just wanting to more streamline. And a lot of is is theory. Just wanting to know how it would be done in a legitimate network model.
Would 1 device (be it Opnsense or a Cisco firewall) all host the vlans and dhcp and NAT and acls onboard or would each network be on its own switch's and the firewall simply directs.
A lot I know... not trying to be a pill. Just curious I guess.
If you want to separate the 4 mail servers put each in a VLAN - nothing speaks against that.
I do not quite understand some of your musings:
QuoteI was just sitting one day thinking, is this practical or better yet, is this the legitimate way this would be done. Would there be a vlan for each WAN/LAN or would it be 1 LAN and NAT to whichever WAN/LAN ip needed specific association.
What do you mean by association? VLANs or not all public IP addresses end up bound to WAN and you need a port forward rule for port 25 for each of your mail servers.
So it's either:
external.1:25--> 192.168.1.11:25
external.2:25--> 192.168.1.12:25
external.3:25--> 192.168.1.13:25
external.4:25--> 192.168.1.14:25
or:
external.1:25--> 192.168.1.10:25
external.2:25--> 192.168.2.10:25
external.3:25--> 192.168.3.10:25
external.4:25--> 192.168.4.10:25
or whatever. External address port 25 gets forwarded to some internal address port 25 - if that internal address is all on its own in a separate VLAN or together with all other ones in a different one doesn't make a difference.
There is no "mapping" of external addresses to VLANs. VLANs are layer 2, IP addresses are layer 3.
Yeah I seem to have misused my meanings.
I mean NAT association meaning "WAN IP to LAN Network, WAN x.x.182 would be the WAN IP and LAN 192.168.1.0/24 would be the LAN Network. I just mean vlan 1 192.168.1.0, vlan 2 192.168.2.0 and so on, and WAN 1 would go to 1.0/24 WAN 2 would go to 2.0/24 and so on.
You cannot have "WAN1 go to 1.0/24" - it can go to a single IP address only. For each individual port forwarding rule, of course. Port 25 to a mail server, ports 80&443 to a web server. Etc.
Whether it is worth the effort to separate your servers into 6 VLANs each for one external address only you can decide.
I have VLANs like this:
- LAN: all desktop devices, phones, tablets, my printer, NAS, ... anything the family uses and which is considered trustworthy.
- GUE: guest WiFi.
- SRV: externally reachable services, all in FreeBSD jails on TrueNAS CORE.
- APP: externally reachable services, in Docker instances on TrueNAS SCALE.
- WIN: Windows VMs.
- RPI: My TuringPi cluster with 7 compute modules.
Etc. Overkill? For sure. But with all infrastructure systems - Switch, OPNsense, TrueNAS CORE and SCALE connected with each other via LAGG and all internal networks in VLANs it's too easy to add "just another one" ;-)
Well let me ask ya this. If you had a block of 8 static IP's, for fun would you assign different WAN IP's for different vlan usage?
Meaning like your LAN for home can use its own WAN IP and then APP vlan to a different WAN IP that you have let's say a FQDN?
My meaning is this, being that I DO have the static IPs, I wanna have fun and utilize them. Would their utilization be separate Networks for each WAN or 1 Network NAT to a WAN it would need to use based on the application.
But you answered a lot of questions and I thank you.
And I am curious... maybe I am lucky but in my Cisco FTD I indeed to have a NAT associating WAN IP to LAN (Network) Dynamic. I then have that LAN Network associated with vlan1. Interface 1 is associated to VLAN 1 and Inhave a DHCP Server running on vlan 1. Anything I plug into that Interface grabs a LAN ip that is associated with the correct WAN from my NAT rule associating 192.168.1.0/24 Network with WAN .182. I did this 6 times, and if I plug into Interface 5, it grabs a 192.168.5.0 and anything 5.0 will use .177. Anything 6.0 grabs .176 and so on.
Or did I explain it originally incorrectly?
You can of course map outbound NAT per VLAN, one IP address per VLAN.
The main question you need to answer is based on which criteria you want to group your machines (VMs, containers, whatever).
Here all VLANs but "LAN" only have access to the Internet and not to any other VLAN.
I would most probably not use any WAN address but a single one, because I run all inbound connections through a single reverse proxy (Caddy) and perform SSL termination on the firewall.
Fair enough. Makes sense. Thank you.
Quote from: Patrick M. Hausen on March 16, 2025, 07:37:56 PM[...] I run all inbound connections through a single reverse proxy (Caddy) and perform SSL termination on the firewall.
I prefer to use as few firewall features as possible (mainly filtering and DHCP for dynamic assignment of private IPs), so I connect to the Internet via a bridge (I have 13 static IPs at the moment). I actually have four bridges configured on the firewall: one public, two NAT, and one completely private. If my firewall catches fire, I can simply plug my public servers into my Internet link via a switch (several of which I keep handy in part for that purpose). (I have to remember not to use the firewall as the gateway for my public machines. It would save me from having to configure static routes for internal IP blocks, but would preclude the easy re-plug.)
(Dammit - I have this spider on my keyboard and I just can't get rid of it. I keep trying to cut its dragline and send it on its way, and it keeps finding its way back. Persistent little bugger.)
@pfry honestly I never understood your bridging setup nor the motivation for it. I avoid layer 2 "tricks" at all costs. Routing is always better than bridging. That's why IP was invented.
When Ethernet went from a bus to a star topology we should have abandoned broadcast domains and let the switches use IP instead. Even Radia Perlman who invented bridging and spanning tree says so nowadays. Bridging was a mistake.
But you do you 🙂
Quote from: Patrick M. Hausen on March 16, 2025, 08:38:41 PM@pfry honestly I never understood your bridging setup nor the motivation for it. I avoid layer 2 "tricks" at all costs. Routing is always better than bridging.
It's how many US Internet services are delivered, particularly static IPs over most DOCSIS and fiber. You're either going to use a bridge or some layer 3 tricks (e.g. proxy ARP or NAT). Choose your poison. I have to say, I prefer it over PPPoE.
In the end, if we use Ethernet (or any other IEEE 802 network), we use bridges. I just shift them a step into the firewall.
My old cable setup was a Lucent (Xedia) AP1000 (router/firewall/CBQ shaper) providing shaping and proxy ARP routing to a Juniper (Netscreen) SSG 550. My OPNsense setup is nice by comparison (the need for shaping is kinda gone in these days of multi-Gb Internet links).
QuoteThat's why IP was invented.
Heh. Timeline.
QuoteWhen Ethernet went from a bus to a star topology we should have abandoned broadcast domains and let the switches use IP instead. Even Radia Perlman who invented bridging and spanning tree says so nowadays. Bridging was a mistake. [...]
I'll see your Perlman (actually never read any of her material that I recall) and raise you one Rich Seifert (he used to hang out on comp.dcom.lans.ethernet). But bridging predated common use of IP in business, and practical routing silicon essentially arrived with gigabit Ethernet (some years after 10BASE-T, much less LattisNet). Considering how well Ethernet works, the viewpoint that bridging was a mistake seems a bit odd.
QuoteBut you do you 🙂
I think that's the message for fbeye as well. "Practical" is what works for you - once you get there. Well, unless you're a complete nut.
Quote from: pfry on March 17, 2025, 09:11:58 AMI'll see your Perlman (actually never read any of her material that I recall)
"Interconnections" is still worth a read, IMHO.
Quote from: Patrick M. Hausen on March 17, 2025, 09:15:32 AM"Interconnections" is still worth a read, IMHO.
I'll see if I can locate a copy. Heh - book thread?
Back on the subject a bit, it's interesting to see the different lessons folks learn from experience. That reminds me - I should block out some time to read through the "Tutorials and FAQs" forum section.
Quote from: pfry on March 17, 2025, 09:11:58 AMQuote from: Patrick M. Hausen on March 16, 2025, 08:38:41 PM@pfry honestly I never understood your bridging setup nor the motivation for it. I avoid layer 2 "tricks" at all costs. Routing is always better than bridging.
It's how many US Internet services are delivered, particularly static IPs over most DOCSIS and fiber. You're either going to use a bridge or some layer 3 tricks (e.g. proxy ARP or NAT). Choose your poison. I have to say, I prefer it over PPPoE.
In the end, if we use Ethernet (or any other IEEE 802 network), we use bridges. I just shift them a step into the firewall.
My old cable setup was a Lucent (Xedia) AP1000 (router/firewall/CBQ shaper) providing shaping and proxy ARP routing to a Juniper (Netscreen) SSG 550. My OPNsense setup is nice by comparison (the need for shaping is kinda gone in these days of multi-Gb Internet links).
QuoteThat's why IP was invented.
Heh. Timeline.
QuoteWhen Ethernet went from a bus to a star topology we should have abandoned broadcast domains and let the switches use IP instead. Even Radia Perlman who invented bridging and spanning tree says so nowadays. Bridging was a mistake. [...]
I'll see your Perlman (actually never read any of her material that I recall) and raise you one Rich Seifert (he used to hang out on comp.dcom.lans.ethernet). But bridging predated common use of IP in business, and practical routing silicon essentially arrived with gigabit Ethernet (some years after 10BASE-T, much less LattisNet). Considering how well Ethernet works, the viewpoint that bridging was a mistake seems a bit odd.
QuoteBut you do you 🙂
I think that's the message for fbeye as well. "Practical" is what works for you - once you get there. Well, unless you're a complete nut.
Most all my questions on any forum aren't can I, but should I. And even that really stems from a security standpoint. Does my setup, though works "flawlessly" cause any bottlenecks. Does it expose my LAN to the internet in ways I am not imagining. I totally get it it's a preference thing I just wanna make sure not doing it wrong.
I can eat McDonald's every day, my choice. But should I.