Recipe for Pfsense becoming a static router for a /28 subnet
-
My Pfsense router receives through PPPoE the subnet 20.0.0.1/28 with an external gateway to the the Internet.
I would like Pfsense to route all traffic, coming and going, to devices in the 20.0.0.0/28 network to the Internet.What's the recipe for that?
Configuring the PPPoE-interface is no problem and Pfsense has Internet and is a NAT-router for the LAN-interface.I have devices on 20.0.0.2 and 20.0.0.3 connected to a switch and I want them to have Internet using the Pfsense as its gateway.
I don't need a firewall for the static routing part.
I do not want to use network translation, so I want those devices configured on their WAN-address..The WAN-IP 20.0.0.1 is not exposed on an ethernet interface.
How do I expose it? -
Hi, you must configure "NO-NAT" Rules for that :)
That is managed under "Firewall -> NAT -> Outbound"
https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#working-with-manual-outbound-nat-rules
-
I need a bit more info than that.
For starters the WAN-IP isn't present on any physical interface.
Let's say I have 3 interfaces
Physical:
igc0 - connected to ISP, no IP present
igc1 - LAN 192.168.10.1
igc2 - unconfiguredvirtual:
pppoe0 - 20.0.0.1/28I think it is possible to connect a switch to igc2 on which I have several devices configured with WAN-addresses in the 20.0.0.0/28 network and connect them to the Internet.
I do NOT want to use 1:1 NATI was looking for a way to bridge igc2 to pppoe0, but I can't use igc2 if it's not configured for an IP
-
@frater Yes, it´s possible you must select the WAN (pppoe0) Interface in the NAT rule :)
Better article: https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html
-
@frater You don´t/mustn´t need to bridge it. Thats not the correct way. You need to route the traffic and disable NAT for that.
-
**At least two public IP subnets must be assigned by the ISP.**The recipe you gave is not the same scenario.
I do not have a gateway on a physical interface.I am assigned only 1 /29 subnet.
The WAN-IP that I get through the PPP-interface should be the gateway to the Internet.It's a quite common and simple scenario from the ISP's point-of-view.
I can do it with other routers quite easily. -
@frater If I followed, to use IPs in the same subnet you would set up a virtual IP:
https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-addresses.htmlThen can use 1:1 NAT or port forward from pfSense.
You can't use the same subnet on two interfaces, a router doesn't know where to send the traffic.
-
You can't use the same subnet on two interfaces, a router doesn't know where to send the traffic.It's not what I'm asking.
I merely want the subnet I have to be linked to an ethernet interface.
The PPPoE-interface needs to be bridged with a classless interface. 20.0.0.1 then comes available for other devices.I have 1 subnet 20.0.0.1/29
Pfsense takes IP 20.0.0.1I know I can also take 20.0.0.2~6 with the Pfsense using Virtual IP's on the PPP-interface.
These different WAN-IP's can be used for catering multiple LANs.I have no problem setting up all that.
But I now have a scenario where I want something different.
Something even more simple than that and it's what a lot cable modems/routers are already doing.Some ISP's give you a modem/router that has, for instance 40.0.0.1/29 IP.
You can can connect 5 devices to that modem/router 40.0.0.2~6I want a Pfsense to do exactly the same thing.
It receives 20.0.0.1/29 through PPPoE and I want to to connect 5 devices to it on a switch.
The Pfsense needs to route them to the Internet, just like an ISP modem/router with bridged subnet would.I merely need to bring out the logical interface pppoe0 to a physical interface igcx, so I have 20.0.0.1 on an ethernet interface and set a static route.
If Pfsense can't do it, it can't. I can accept that.
But from a network point of view it's a totally normal scenario.I have no problem setting up this (with virtual IP)
igc0 -> connected to fibre modem
igc0.6 -> created vlan6
pppoe -> login using pppoe on igc0.6 (20.0.0.1/29 + virtual IP 20.0.0.2)igc1 -> lan1 192.168.188.1/24 (use NAT rules to use WAN IP 20.0.0.1)
igc2 -> lan2 192.168.168.1/24 (use NAT rules to use WAN IP 20.0.0.2)Now I want to use 20.0.0.3~6 for foreign devices, but I have nothing to connect it to.
-
@frater Sharing a subnet on two interfaces would be a bridge:
https://docs.netgate.com/pfsense/en/latest/bridges/index.html -
@frater I don´t understand now what you want. It is the same result when you do it with VIPs.
-
I can't bridge classless interfaces.
Tell me which interfaces I need to bridge given my last scenario!
I can create a logical interface with the name bridge on igc3 and give it a bogus IP IP 172.20.1.1/30
I can then bridge it with PPPPOE0 and connect foreign devices to igc3.If it works, it works.
I just can't test it now as I only have remote connections with pfsenses in that scenario and it's all production.And where do I tell it to route all traffic from those subnets directed to 20.0.0.1 to the Internet?
-
@frater said in Recipe for Pfsense becoming a static router for a /28 subnet:
igc1 -> lan1 192.168.188.1/24 (use NAT rules to use WAN IP 20.0.0.1)
igc2 -> lan2 192.168.168.1/24 (use NAT rules to use WAN IP 20.0.0.2)Rereading this again, you do want NAT for the internal interface but want it to use 20.0.0.2 instead of the default 20.0.0.1? (you wrote "do not want to use network translation" originally). That would be the outbound NAT mentioned in the first reply. Add the IPs as VIPs on the WAN/PPPOE connection, and add an outbound NAT rule to translate using that IP. Here's an outbound rule translating a 192.168.x.x network to a VIP Alias on WAN:
-
Rereading this again, you do want NAT for the internal interface but want it to use 20.0.0.2 instead of the default 20.0.0.1?No I do not want NAT.
I just gave that example to make clear that THAT scenario was no problem for me and I implemented quite often.
The 20.0.0.3~6 for foreign devices is my only problem.I want static routing
Even a simple Fritz!Box can do it.
Given a /30 subnet I have 2 IP's.
A Fritz!Box does NAT on 1 IP and a Cisco that is connected to the Fritz!Box has the 2nd IP and routes everything through the Fritz!Box. -
@frater No, surely not! The FB use one address and the provider router the other! You must have a GW to send traffic to the provider!
-
Surely YES
the router gets a /30 using PPPoE on a fibre connection
The 2nd IP is for the Cisco.The provider's gateway is outside the /30 network
The Cisco has a static IP on its WAN and has the FB as its gateway.
-
@frater Ok, I had a think failure. Sorry for that. But for what you want static routing?
-
In fact I'm not getting a /29 but will be getting a /27 network and I want to give more than 25 companies an Internet connection.
They all want a WAN IP without firewalling.The ISP gives me that subnet through PPPoE.
I will probably do it with a Mikrotik which needs a simple configuration to do this.I was wondering if I can do it with a Pfsense.
I also have a few places where I have a /29 subnet and Pfsense is a central router for a few companies (using VIP's)
I would like to be prepared if a company suddenly wants a WAN-IP and do his own firewalling.
I only have the subnet available on the PPPoE-interface. -
The simplest solution is to call your ISP and tell them "please I want my solution to be routed, not bridged" then they will give you a private network for the WAN side and route your network through that. Most providers can do that. Then you can configure 20.x.x.x on the "LAN side", just disable NAT altogether and you're set.
Otherwise. You should be able to bridge PPPOE and and eth interface and then set an IP address of that network in the bridge interface, then set other IP addresses on your devices with gateway your pfsense.
It sounds similar to what I have with OVH
OVH gives me a /29 and a gateway outside of that subnet.So on my WAN I configure my IP address as a /32, and then I add a route to the gateway (yes that is what I said, and a default) and then a default through the actual gateway
For example, I have:- Network: x.y.z.232/29
- Gateway: x.y.z.254
So I did this:
route add -host x.y.z.254 -iface em0 route add default x.y.z.254It's weird.... but it works
-
@andres-asm as a follow-up, while at the beginning what I did was bridge two virtual ethernet interfaces so I could give my internal VMs public IP addresses, I ended up switching to virtual IPs attached to the wan interface and 1:1 NAT.
But I get it, clients usually don't want to deal with NAT.