Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Do I need a router? ISP Provides WAN and "LAN" ips? (LAN ips are my Public IPs)

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    36 Posts 6 Posters 25.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phorce1
      last edited by

      @gderf:

      @phorce1:

      Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.

      em0 – WAN -- .82.218
                 Gateway .82.217 (default)

      em1 -- .32.226
                No gateway

      The above works.

      When you add this

      em2 – .32.227
                No gateway

      it stops working.

      You can't have two interfaces in the same machine define the same network.

      How about:

      em0 – WAN -- .82.218
                Gateway .82.217 (default)

      em1 -- .32.225 (/27)
                no gateway

      em2 -- .32.226
                Gateway .32.225

      em3 --  .32.227
                Gateway .32.225

      etc.

      1 Reply Last reply Reply Quote 0
      • G
        gderf
        last edited by

        Specifying or not specifying a gateway isn't what breaks things.

        Having two or more network adapters defining the same network in the same machine does break things.

        He could split his One /27 into

        Two /28s or
        Four /29s or
        Eight /30s

        or a valid combination of fewer of each of the above, and put them on individual interfaces. These would become different networks so it would be legal and it would work. But that doesn't solve his problem.

        1 Reply Last reply Reply Quote 0
        • P
          phorce1
          last edited by

          For his purposes breaking it into 8 /30 nets would probably work. He doesn't appear to have that many private networks he wants to NAT out. But he's already shopping for a router to make the /27 available to the pfSense box directly.

          1 Reply Last reply Reply Quote 0
          • G
            gderf
            last edited by

            No, breaking his /27 into any set of smaller networks does not solve his problem because he cannot NAT to them out the WAN from private networks.

            1 Reply Last reply Reply Quote 0
            • S
              sierradump
              last edited by

              @gderf:

              @phorce1:

              Not sure if this will work as intended and it might need extra work on your end as opposed to just putting a router in the middle.

              em0 – WAN -- .82.218
                         Gateway .82.217 (default)

              em1 -- .32.226
                        No gateway

              The above works.

              When you add this

              em2 – .32.227
                        No gateway

              it stops working.

              You can't have two interfaces in the same machine define the same network.

              The above doesn't work for me though, as I don't want public IPs on my LAN interfaces :)  I want private IPs 192.168.1.1 /24  etc… I want them NATd to public IPs...

              1 Reply Last reply Reply Quote 0
              • G
                gderf
                last edited by

                I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.

                1 Reply Last reply Reply Quote 0
                • S
                  sierradump
                  last edited by

                  Will be building router later to try this out…

                  1 Reply Last reply Reply Quote 0
                  • S
                    sierradump
                    last edited by

                    @gderf:

                    I was only pointing out that it can't possibly work at all. The fact that it doesn't solve your problem doesn't matter much if it can't work at all.

                    Right, no I absolutely appreciate your help!  I liked how you know your networking.  I know it wouldn't work but I didn't know the "reasoning" I knew it had to do with the /30 and /27 over the WAN link but didn't know why, now I do :)

                    Thanks!

                    1 Reply Last reply Reply Quote 0
                    • D
                      dhatz
                      last edited by

                      sierradump, you can always try pfsense commercial support.

                      Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)

                      Try using ProxyARP VIPs and Manual Outbound NAT (AON).

                      1 Reply Last reply Reply Quote 0
                      • S
                        sierradump
                        last edited by

                        @dhatz:

                        sierradump, you can always try pfsense commercial support.

                        Anyway, if I understand your requirements correctly, I think pfsense can do what you want, i.e. NAT each internal network (LAN, WLAN etc) to a different public IP from your /27 range (which are different from the /30 that is used for your point-to-point link with your ISP)

                        Try using ProxyARP VIPs and Manual Outbound NAT (AON).

                        Sad face.  Tried this early on, it sort of worked but had broken functionality.

                        1 Reply Last reply Reply Quote 0
                        • D
                          dhatz
                          last edited by

                          @sierradump:

                          Tried this early on, it sort of worked but had broken functionality.

                          Broken functionality how?

                          I've tried it in the past and it seemed to work, although I haven't tested it thoroughly or used it in production.

                          1 Reply Last reply Reply Quote 0
                          • A
                            anagh
                            last edited by

                            use isp wan series on wan side and isp lan series i.e first public ip on lan side
                            open firewall nat click Manual Outbound NAT rule generation and SAVE
                            delete all  auto generated  nat rule

                            1 Reply Last reply Reply Quote 0
                            • G
                              gderf
                              last edited by

                              @anagh:

                              use isp wan series on wan side and isp lan series i.e first public ip on lan side
                              open firewall nat click Manual Outbound NAT rule generation and SAVE
                              delete all  auto generated  nat rule

                              This doesn't provide the private IP network interfaces he requires.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.