same IP addresses / subnet from 2 LAN interfaces

negeji8010 · Aug 1, 2024, 7:59 AM

Hello all,

With a Netgate 2100 appliance or a Pfsense CE VM, I am looking to connect several LAN networks using the same subnet mask (and therefore with some endpoints using the same IP addresses from one network to another) to the same WAN exit point.

- Equipment with these identical IP addresses cannot be modified (industrial equipment with IP@ hardcoded in the program) -

I have so far used a Netgate 2100 in the following way:

configuring Switch Ports as discrete port, based on this guide: https://docs.netgate.com/pfsense/en/latest/solutions/netgate-2100/configuring-the-switch-ports.html
Enabled the 2 LAN side interfaces configured in the previous step, but without assigning an IP address,
Created a Bridge interface containing the 2 LAN ports with the Auto Edge Ports & Private Ports options selected,
Assigned to the Bridge an IPv4 address serving as a common gateway for the 2 LAN interfaces.

This configuration allows me to connect 2 different physical interfaces sharing the same subnet mask to a single interface of the Pfsense, ok.
However, as soon as I use 2 identical IP addresses on the 2 legs of the bridge, the behavior is the same as if the 2 machines shared the same broadcast domain, the packets randomly go to one of the 2 machines depending on the last ARP table updates

I then tried several things, without success for the moment :

create 2 VIPs type "IP alias", "single address" /32 and declare them as different gateways on my 2 LANs -> same behavior,
create 2 VIPs type "ARP Proxy" and declare them as different gateways on my 2 LANs as above -> same behavior,
Tried to add NAT type 1:1 or Outbound on top of my different VIPs -> same result

Do you think there is a way to differentiate the flows coming from these 2 identical IP addresses but on 2 different LAN ports by adding an address translation at one point or another on the path of these flows?
(My NAT side tests are not very relevant, it's quite possible that I made misconfigurations, I am not very comfortable with these notions of proxy ARP + NAT mapping (external subnet, internal IP, destination, etc.)

Thank you in advance for your contribution!

johnpoz · Aug 1, 2024, 11:02 AM

@negeji8010 get 2 cheap nat routers.. Say whatever $20 home router you can get on amazon.. Turn off its wifi and then just put that in front of your device.

Create two interface on your pfsense, say 192.168.2/24 and 192.168.3/24 where you devices are both using say 192.168.1.x

Router A would nat to your 2 network, and router B would nat to your 3 network. If you need inbound traffic to them just setup port forwarding on the cheap nat routers and just talk to your devices using the 2 or 3 address depending on which one you need to talk to.

negeji8010 · Aug 1, 2024, 1:40 PM

@johnpoz said in same IP addresses / subnet from 2 LAN interfaces:

@negeji8010 get 2 cheap nat routers.. Say whatever $20 home router you can get on amazon.. Turn off its wifi and then just put that in front of your device.

Create two interface on your pfsense, say 192.168.2/24 and 192.168.3/24 where you devices are both using say 192.168.1.x

Router A would nat to your 2 network, and router B would nat to your 3 network. If you need inbound traffic to them just setup port forwarding on the cheap nat routers and just talk to your devices using the 2 or 3 address depending on which one you need to talk to.

Hello @johnpoz, thanks for your answer.

This is indeed the last resort solution that I keep up my sleeve, I have already tested it by using as many Pfsense CE VMs as subnets to NAT each subnet independently then all connected to a final Pfsense doing the job of router / firewall to my WAN interface.

But precisely, I am looking to reproduce this behavior within a single appliance/VM to be able to deploy / maintain it more easily (the target is not realy domestic use).

johnpoz · Aug 1, 2024, 1:45 PM

@negeji8010 you have to nat them downstream of pfsense.. There is no way to connect multiple devices with the same IP to pfsense be it a bridge or not and expect it to work. Even if you don't let the different sides of the bridge to talk to each other. The router in the middle would still see the duplicate IP and different macs.. You would only ever be able to talk to one of the devices, whichever one answered the arp first.

I would look for something else to use for the device - a locked in IP is moronic.. Doing business with such a company just goes along with the nonsense.. You should not encourage their stupidity.. You have contacted said company and said hey look we want to buy X number of your devices - but we need to be able to change their IP to do so.

negeji8010 · Aug 1, 2024, 2:30 PM

@johnpoz said in same IP addresses / subnet from 2 LAN interfaces:

@negeji8010 you have to nat them downstream of pfsense.. There is no way to connect multiple devices with the same IP to pfsense be it a bridge or not and expect it to work. Even if you don't let the different sides of the bridge to talk to each other. The router in the middle would still see the duplicate IP and different macs.. You would only ever be able to talk to one of the devices, whichever one answered the arp first.

Thanks for the confirmation, even if it doesn't please me.
It will save me from wasting time testing all the configurations.

I would look for something else to use for the device - a locked in IP is moronic.. Doing business with such a company just goes along with the nonsense.. You should not encourage their stupidity.. You have contacted said company and said hey look we want to buy X number of your devices - but we need to be able to change their IP to do so.

I share your opinion, unfortunately the context is particular and above all... imposed.
Several industrial equipment forming a small LAN network, historically on several different geographical sites, is today gathered on the same site/same unmanaged L2 switch.

And now, while the equipment no longer communicates correctly, the IT guy (never consulted before this merger project) must find a "cheap" solution

johnpoz · Aug 1, 2024, 2:51 PM

@negeji8010 yeah I hear yeah.. oh btw IT make this nonsense work.. Yeah we didn't bother to ask you if we "could" do such a thing - just make it work!

To make it work.. You will need to nat them, and will need different natting devices.. The "cheapest" way to do it is find some small little router.. Some little travel router or soho router going to be the easy cheapest solution. Sure you could do it as vm, etc. But that is going to cost more for sure.. Unless you have something laying around to use as the host were you could run multiple natting something - wouldn't have to be pfsense doing the natting.

If you go the soho or travel router I would make sure it runs some 3rd party firmware (openwrt for example) vs native like linksys or netgear router OS.. Maybe tiny router from Mikrotik, they have something like the hex lite for like $40 that can be powered via poe, etc.