Routed public IP over /30 transport netwrok
-
I have configurd the /28 public IP block assigned to us from ISP which are routed over different /30 transport network subnet as per instructions given at link below.
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.htmlIts all working as expected except the following.
The LAN traffic is NATed unlike the public IP net which are assigend directly to the servers and are not NATed because of Hybrid outbound rule. But internet connectivity is not possible through WAN IP. I think only public IP pool gets internet conectiity not WAN IP. This cause two issues. i)no internet for LAN net. ii)pfSense cant be updated.
-
@ishantdave so your saying the transport IP they are using isn't allowed internet access? That seems odd - have you validated that with them?
-
@johnpoz It seems so. The traffic originated from public IP net (configured on OPT1 which is not NATed) only able to go further and access internet. The LAN traffic which is NATed and assigned WAN IP do not get internet access. I don't have a problem with that except the box can't get updates and I do not see a workaround to get the updates. Please note that the two subnets (assigned public IP pool and transport) are totally different.
-
@ishantdave well yeah normally your transport and your routed IP ranges would be different.
But unless your transport is a rfc1918 or a CGnat range - normally it would have internet..
I would validate with your ISP should your transport IP have internet or not.. Seems odd if they are giving you a pubic /30 transport that they would not allow it to have internet access.
-
Agree, that seems more like an error on their part than intentional. Did they give you a gateway for that /30? And/or they're telling you it won't have access?
Also, it seems a bit odd to me they would give you a /30 if you're using NAT. In my experience the /30 is needed if not using NAT and the LAN side uses the /28. If using NAT then we usually set up the WAN with one of the IPs and the others in the /28 as virtual IPs/aliases on WAN.
-
@steveits I have assigned one of the two IPs from /30 transport net as WAN IP and other one as gateway to my pfsense box. The OPT1 interface is assigned /28 public IP net and the hybrid rule I set do not NAT traffic from /28 public IP net and all machines get internet access without any issue on OPT1 interface.
The issue is for LAN and pfsense box itself which do get NATed by default to WAN IP because hybrid outbound rule which don’t apply to them. But the WAN IP itself is not getting access to internet. Only /28 public IP subnet gets internet.
As I mentioned earlier the transport and public IP subnet are totally different and it’s logical that I should be able to get only 14(16-2) static IP only as promised for a pool of 16 public IP. If I get internet access on WAN IP also then it will be one more which is not logical also. -
@ishantdave Can you verify with a traceroute? I don't understand how devices using NAT through the WAN IP can get out and the WAN IP can't. With NAT the rest of the world can't tell the difference.
Is your issue maybe a DNS problem? Can you ping an IP like 8.8.8.8 using diagnostics/ping, using WAN and/or LAN?
-
@steveits the devices on his routed /28 are not being natted to his wan IP/30
Like this
internet -- isp gateway 1.2.3.1/30 --- 1.2.3.2/30 pfsense 4.5.6.1/28 -- 4.5.6.2/28 device.
What he is saying is pfsense on 1.2.3.2 doesn't have internet, nor say his lan on 192.168.1/24 that would nat to 1.2.3.2
But traffic to and from 4.5.6.2 works fine
But yes traffic from 4.5.6.2 would be sent to the isp gateway 1.2.3.1 - so its a filter on the ISP.. But its really strange that they would do that.. Why would they not let 1.2.3.2 have internet access?
Atleast that is my take on what he is saying is happening.
He is doing this for his routed /28
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html -
@johnpoz OK I understand, thanks. Yeah, so a traceroute to 8.8.8.8 would help the ISP find where it is blocked. Unless they know and are being jerks...because pretty much any router will have security updates.
