Giving secondary gateway access

aciesler

version of pfsense: latest

WAN: 2 IPs from separate subnets. One is assigned to the WAN interface, the other is a VIP.
LAN 1: using vlan 1, using WAN interface for OUT
LAN 2: using vlan 50, using VIP for OUT
OUT NAT: Hybrid

I have a workstation connected through a switch to vlan 50 on LAN 2 and it's getting a .50.0 address plus the gateway and dns information. My trouble is that my gateway on vlan50 isn't getting internet access and I can't add a second gateway because the GWY for my VIP isn't part of the same subnet and pfsense is giving me an error if I try and add it. How do I complete this set up?

Derelict

Hybrid outbound NAT. Tell the system to use the desired VIP as the NAT address for the vlan50 source network.

Not possible to provide a more specific answer due to the lack of specifics in the question.

![Screen Shot 2018-01-09 at 10.07.44 PM.png](/public/imported_attachments/1/Screen Shot 2018-01-09 at 10.07.44 PM.png)
![Screen Shot 2018-01-09 at 10.07.44 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2018-01-09 at 10.07.44 PM.png_thumb)

aciesler

I have that. My DHCP leases on vlan50 get all the right information but under system > routing > gateways I can't add my VIP gtwy of 24.52.70.41. My WAN gtwy is 24.52.70.233.

If I try and add the other gtwy into the interface I get: The gateway address 24.52.70.41 does not lie within one of the chosen interface's subnets.

luke1018

Hi, I am trying to setup another VLAN to monitor traffic from another subnet, but unfortunately, I can only view the OUT portion only.

Have anyone faced this issue before?

![Suricata_Firewall 2.PNG](/public/imported_attachments/1/Suricata_Firewall 2.PNG)
![Suricata_Firewall 2.PNG_thumb](/public/imported_attachments/1/Suricata_Firewall 2.PNG_thumb)

Derelict

Oh so you have some convoluted ISP scheme with two layer 3 networks on the same interface?

What are both sets of IP addresses, netmasks, and gateways you were given?

aciesler

IP 1 24.52.70.234 /29 on WAN interface
GTWY 24.52.70.233

IP 2 24.52.70.42 /32 as an "other" VIP
GTWY 24.52.70.41

Derelict

As far as I know you cannot do that. There is no way to reach 24.52.70.41 from either 24.52.70.234/29 or 24.52.70.42/32.

Are you SURE that is what they gave you to use?

If you need more addresses they should just route them to 24.52.70.234.

aciesler

Can I use my 3rd NIC port as an additional WAN port? Or do all VIP gtwys need to be the same?

We needed another static but there wasn't enough in our range so they slapped this one onto our handoff

Derelict

That seems like a silly way to do it.

Yes you can use a separate interface but it won't do you any good with a /32. Did they really give you another /30?

If the latter you could do this:

WAN 24.52.70.234/29 <–-> 24.52.70.233 Gateway

WAN2 2 24.52.70.42/30 <---> 24.52.70.41 Gateway

You would set them up like any other multi-wan. You would need an outside switch.

Seems pretty stupid to do that since it only results in one additional address for you at the cost of four addresses plus a router interface on your side. If they just routed 24.52.70.40/30 to 24.52.70.234 you could use all four addresses as VIPs and not have to mess around with multi-wan.