Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Peculiar routing: gateway outside the LAN segment

    Scheduled Pinned Locked Moved IPv6
    5 Posts 3 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Locutus
      last edited by

      Hellos!

      My hoster is using a somewhat peculiar setup concerning routing from one customer server to others within the same LAN segment.

      Apparently to prevent customers from "stealing" neighboring IP addresses, their routers/switches are configured to drop packets sent from one host in the LAN to another. All traffic needs to go through the router.

      Now I'm in a bit of a twist. How do I set that up in PFSense?

      Concrete example. My server has the address 2a01:4f8:101:11a4::/64, and the router has 2a01:4f8:101:11a0::1/59. Which means the gateway is not in my /64 subnet (understandably), but I also cannot extend my netmask to /59, since I need to route all traffic through the gateway, also that for other servers in the gateway's /59.

      In a Vyatta test installation, I configured the router to have a /128 IP address, set the default gateway to 2a01:4f8:101:11a0::1 and configured an interface-route to there via the proper eth.

      Unfortunately, PFSense does not allow me to set a gateways outside the host's network segment.

      Any idea what to do here?

      (I should add that I'm using PFSense 2.0 RC3 with the IPv6 support git-synced from github.com/smos.)

      Kind regards,
      Frank

      1 Reply Last reply Reply Quote 0
      • L
        Locutus
        last edited by

        push

        No ideas about this? Come on… It must be possible to configure this in PFSense!

        The same issue by the way also applies to IPv4.

        Kind regards,
        Frank

        1 Reply Last reply Reply Quote 0
        • D
          databeestje
          last edited by

          The same reason that we have not implemented this for ipv4. It breaks sound network design. It is a rather peculiar thing and very low on the wih list.

          1 Reply Last reply Reply Quote 0
          • G
            GrandmasterB
            last edited by

            @Locutus:

            push

            No ideas about this? Come on… It must be possible to configure this in PFSense!

            The same issue by the way also applies to IPv4.

            I presume you also use hetzner for your hosting. My solution was to make a specific route for their gateway adress. That should work.

            1 Reply Last reply Reply Quote 0
            • L
              Locutus
              last edited by

              Yep, indeed Hetzner. :)

              I had tried that solution with a static route for the LAN segment via the Hetzner gateway before, but it failed because I added a route for the full LAN segment which was ignored / overridden by the LAN interface route. Stupid me. :)

              After getting a hint in the Hetzner forum, I now added TWO static routes, one for the first and one for the second half of my LAN segment, and that worked nicely. Those routes were added correctly to the routing table, and since they are more specific (longer network mask) than the actual LAN route, they take precedence.

              Kind regards,
              Frank

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.