Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Use multiple WAN IP addresses on a single VLAN

    Scheduled Pinned Locked Moved NAT
    21 Posts 5 Posters 4.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mbaughan
      last edited by

      So if I went down the routed subnet route, how would the pfSense box be set up?

      I have only done NAT configurations before, never direct to the internet.

      Would the ISP give me a /30 for the WAN, then as many different routed subnets as I need, or a larger routed subnet that I then divide up?

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Your ISP interface: 4.5.6.2/30
        pfSense default gateway: 4.5.6.1 (The ISP)

        Routed subnet: 5.6.7.128/25

        Reserved for pfSense VIPs 5.6.7.128/27 (5.6.7.128 - 5.6.7.159)

        OPT1 Interface: 5.6.7.161/27 (OPT1 Hosts 5.6.7.162 - 5.6.7.174)
        OPT2 Interface: 5.6.7.176/31 (OPT2 Host 5.6.7.177) (Not everything supports /31 yet.  pfSense does.)
        OPT3 Interface: 5.6.7.178/31 (OPT3 Host 5.6.7.179)
        OPT4 Interface: 5.6.7.181/30 (OPT4 Host 5.6.7.182)
        OPT5 Interface: 5.6.7.185/29 (OPT5 Hosts 5.6.7.186 - 5.6.7.190)
        OPT6 Interface: 5.6.7.193/26 (OPT6 hosts 5.6.7.194 - 5.6.7.254)

        From that I figure you get the idea. When it's routed you can break it up however you want.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          mbaughan
          last edited by

          Ok, so I have now got a routed subnet (below is what the ISP has sent - real IP's abbreviated) -

          MYCISCO.CISCO#show ip route 71.189.145.50
          Routing entry for 71.189.145.50/29
            Known via "static", distance 1, metric 0
            Redistributing via bgp 63689
            Advertised by bgp 63689
            Routing Descriptor Blocks:
            * 71.189.144.140
                Route metric is 0, traffic share count is 1

          I still have the /29 subnet on y WAN as well, which is the 71.189.144.140 block.

          I have set OPT1 as static IP 71.189.145.51/29. When I connect a laptop up to the VLAN and give it IP 71.189.145.53, 255.255.255.248 and gateway 71.189.145.51 I get no internet connection.

          Any ideas?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Dude.  Do some basic troubleshooting.  Can you ping the next hop?  The hop after that? Can you resolve names?

            If you're going to run this network you're going to have to know more than "I get no internet."  You're certainly going to have to communicate more details than "I get no internet."

            That said, have you added firewall rules to your OPT1 and turned off NAT?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              Using the entire pfSense as a traffic shaper and then behind the pfSense using routers doing NAT indicates
              to us that you are acting it selfs as an ISP, could this be?

              • You could or should be really using the pfSense as a so called transparent firewall, without
                no problems, but then please using instead of bridging ports so called LAN Ports with a bypass
                function, then it will be done in hardware and not so unstable, but with the same effect.

              • Setting up VLANs in only one company, it would marching, but between many different
                companies please have view toward the inter VLAN or so called VLAN hopping problem!

              Perhaps a greater or bigger router with many, many ports should be a solution for you?
              Something at the level of a LANNER FW-889x device with many ports and/or the capability
              to insert also HDD/SSD drives inside and setting up Windows Hyper-V and then a pfSense
              inside of a VM, would be better and sufficient likes seeting up VLANs to the customers router
              or firewalls.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                And if this is just open, public "WAN" space that will never be firewalled from each other, there's always a layer 3 switch.

                But pfSense will work, too.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • M
                  mbaughan
                  last edited by

                  Short story is we want to change our current WISP setup. We currently use Virtual IP's, but we want to be able to provide a subnet/range of WAN IP addresses to each VLAN. This means splitting down our routed /29 IP address allocation across our VLAN's. We don't want to have any control over port forwarding, just simply limit each VLAN's bandwidth allocation.

                  EG: (not accurate ranges I know…)

                  VLAN 1 - 52.232.45.8/26
                  VLAN 2 - 52.232.45.56/30

                  I am going to be doing some testing tomorrow evening. I will post an update then.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Well you're not going to be able to split a /29 into a /26 regardless.

                    Be specific.

                    What is your WAN subnet, your interface address, and your default gateway?

                    What exact routes are in your router?

                    What exact routes are being routed to you and what address(es) are they routed to?

                    What exact address and subnet did you put on OPT1?

                    If you don't want to post your exact addresses, make something else up but keep it consistent and don't change the last octet or the netmasks.  Posting things like "not accurate ranges, I know" doesn't help anyone help you and will just confuse matters.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • M
                      mbaughan
                      last edited by

                      Ok here goes…

                      Our ISP has provided us with an interface address of 61.179.145.40/29

                      Our gateway address is 61.179.145.41

                      We have given our pfSense box an IP of 61.179.145.42

                      We have a routed subnet of 61.179.144.128/25. This has 128 addresses. They have routed this to our pfSense gateway address.

                      We require setting up the following -

                      OPT1 - Address of 61.179.144.129/29
                      OPT2 - Address of 61.179.144.137/29
                      OPT3 - Address of 61.179.144.145/30

                      This list will go on, with each interface having a different IP count.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        @dynamicuser:

                        Ok here goes…

                        Our ISP has provided us with an interface address of 61.179.145.40/29

                        Our gateway address is 61.179.145.41

                        We have given our pfSense box an IP of 61.179.145.42

                        We have a routed subnet of 61.179.144.128/25. This has 128 addresses. They have routed this to our pfSense gateway address.

                        We require setting up the following -

                        OPT1 - Address of 61.179.144.128/29
                        OPT2 - Address of 61.179.144.136/29
                        OPT3 - Address of 61.179.144.144/30

                        This list will go on, with each interface having a different IP count.

                        OPT1 - Address of 61.179.144.129/29
                        OPT2 - Address of 61.179.144.137/29
                        OPT3 - Address of 61.179.144.145/30

                        Basic IP subnetting:
                        First address is the network address - unusable
                        Then a number of host addresses - usable
                        The last address is the broadcast address - unusable.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • M
                          mbaughan
                          last edited by

                          Of course, edited to reflect this.

                          So if I create the interfaces with the IP's and subnets stated above, disable NAT and set up firewall rules it should work OK?

                          Thanks

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Should be fine.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.