Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Creating interface for IP range that isn't a CIDR range and Gateway not in IP Range

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 669 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K Offline
      klubar
      last edited by

      We recently installed FIOS with a 13 static addresses. We were given the following info about our IP addresses and gateway.

      IP range: 108.7.226.42-108.7.226.54 (13 addresses, but not a legitimate CIDR range
      Gateway: 108.7.226.1 (which is not in the IP range we were given above)

      I've done the following but it doesn't seem to work:
      1: Created a Gateway (Routing/Gateway/Edit) with the gateway address 108.7.226.1 and checked "Use non-local gateway through interface specific route"
      2: Created an interface with IPv4 address of 108.7.226.42/27 -- which includes my addresses and more; selected the Gateway 108.7.226.1

      Is this the right way to do this?

      When I try to route traffic thru this interface (by assigning it as priority 1 in the gateway groups it works for a few seconds and then seems to stop. I've verified the FIOS device is working by directly connecting a PC to ir.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by stephenw10

        Are they actually routing those addresses to you or just providing them directly on your WAN?

        If it's the latter you need to add VIPs on your existing WAN with the static IPs and use them that way. That's relatively easy to test.

        https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.html#additional-static-ip-addresses

        I would also ask them to double check the address. That sure looks like it should be a /28 somewhere.

        Steve

        1 Reply Last reply Reply Quote 0
        • K Offline
          klubar
          last edited by

          Thanks!!!!
          I believe the answer to "Are actually routing those addresses to you or just providing them directly on your WAN" is that they are actually routing those addresses.

          Here what I've done and it still works for a few seconds and then stops.

          • Confirmed that the IP range is really 108.7.226.42 - 54 (not a /28)!
          • Created the interface as IP address 108.7.226.42/32
          • Gateway 108.7.226.1 (not in range checked)
          • Created a VIP (IP Alias) on the interface, address 108.7.226.43/32
          • In Gate Groups set this interface to Tier 1 and the others to Tier 2 & Tier 3
          • Cleared APR table

          Diagnostics I've tried:

          • On status screen interface shows up
          • For the few seconds (maybe 20) that it's working, what's my ip shows 108.7.226.43
          • Unable to ping from external address either 108.7.226.42 or .43
          • No firewall rules
          • Interface shows Media 1000baseT <full-duplex,rxpause>; should I be concerned about the rxpause

          Any pointers or help would be super appreciated as I'm at the end of my rope!

          1 Reply Last reply Reply Quote 0
          • stephenw10S Offline
            stephenw10 Netgate Administrator
            last edited by

            I assume from the way that you refer to the gateways that you have a different WAN interface and that is working correctly? Is that in a completely different subnet? Is it dynamic?

            If they really were routing those IPs to you wouldn't need to use a separate gateway. So I suspect they are in fact just providing the IPs on your WAN link directly. In which case you need to add VIPs on the WAN, you cannot create a new interface to use the IPs on.

            Try this:
            Remove the new interface you added.
            Add 108.7.226.42/24 as an IPAlias VIP on WAN.
            Try to ping out from it. Try to ping in to it whilst running a pcap on WAN for 108.7.226.42 and see if any traffic arrives.
            Add 108.7.226.1 as a gateway. Try to ping 108.7.226.1

            Did they give you any instructions on how to use these IPs?

            Steve

            1 Reply Last reply Reply Quote 0
            • K Offline
              klubar
              last edited by

              It's always DNS

              After much experimenting (thanks @stephenw10) I figured out the problem. We use DNS Filter as our upstream DNS resolver. DNS Filter is tied to specific IP addresses and refuses to resolve if the request is coming from an "unknown" address.

              New network connection was unknown so some addresses that could be resolved locally or were cached worked. Thus why it worked for a few seconds. I finally figured it out when I tried entering IP addresses and that worked. (Hint, 1.1.1.1 is a good webpage to try if you are ever in this situation.)

              Sigh. My fault.

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.