Secondary address space on the WAN interface (different gateway)
-
My ISP recently allocated another IP range on our corporate Internet connection. The new one is a public /29. Unfortunately, it has a different gateway than my first /29 range. So something like this…
Initial IP range: x.y.z.a/29 gateway 192.168.1.1 (but public)
New IP range: b.c.d.e/29, gateway 10.0.0.1 (but public)What I had expected from the ISP was an additional grant using the same gateway (not sure that that was even a reasonable expectation, but that's what I thought I'd get), so that I could add the additional IPs as VirtualIPs. Since this new range has a different gateway, I'm not sure how to do that in pfsense. The ISP says that these IPs come in on the same physical interface from them - but I'm not sure how make use of these in pfSense. Is there a way to add a new "virtual" (?) interface on the same physical interface?
-
Proxy arp is capable in this situation. or if you have multiple modems you could create loadbalancing/failover situation
-
How would I actually do it? Attached is snip from my proxy arp screen, but I don't see any obvious way to specify the new connection/gateway
-
Try to look for load balancing there might be your answer
-
Ok - so it works, but I'm not sure how it works.
From the new IP range, I created a Proxy ARP entry for 1 of the new Virtual IPs (x.y.z.1/32), on the same physical interface.
Next, I created a NAT rule forwarding HTTP traffic from x.y.z.1/32 to an internal web-server.
Then, I tried connecting externally to http://x.y.z.1 - and I saw the web-page of my web browser.So - great, it works! But what I'm confused about, is how it worked. Without having the new gateway specified somehow (since the Proxy ARP entry doesn't let you add a gateway), how am I able to hit this from off-site? Does this mean that my ISP has routed the IP to me?
Thanks!
-
You don't need the gateway, in those scenarios it's generally the same as your default gateway. A better scenario is having your ISP route that second block to you, that way you aren't wasting 3 IPs, network, broadcast and gateway addresses, out of that subnet. There's no need to assign subnets like they're doing there (it'll work, just not the best way).
-
Then how does it work? The first IP block from my ISP had a "gatewayA" which is assigned to my physical interface. The second grant that I got today had "gatewayB", which I'm not specifying anywhere. I'm going through and adding each IP from that new range as Proxy ARP VirtualIPs (e.g. 1.2.3.4/32, 1.2.3.5/32, etc. instead of 1.2.3.4/29), and creating NAT rules for each, but since "gatewayB" isn't ever specified anywhere within pfSense, I'm not sure how/why it's working.
-
Gateway B has the same MAC as gateway A so it only has to use gateway A. If B were on a different router from A, you'd have issues as currently configured, in that case you'd just set it up as a second Internet connection on a separate interface (as that's what it would be).