Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfsense internal network on 'public' range

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 4 Posters 1.1k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      w4436 @w4436
      last edited by

      @w4436 bump

      M 1 Reply Last reply Reply Quote 0
      • M Offline
        mcury Rebel Alliance @w4436
        last edited by

        @w4436 Did you create a firewall rule allowing 172.99.0.0/24 to go out to the internet through OPT1 interface?
        Only NAT is not enough.

        dead on arrival, nowhere to be found.

        W 1 Reply Last reply Reply Quote 1
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          I assume the gateway here is some other router in the OPT1 subnet and not the OPT1 interface IP?

          You shouldn't need any NAT in or out for a public subnet as long as the upstream provider is correctly routing it to you.

          Steve

          W 1 Reply Last reply Reply Quote 0
          • W Offline
            w4436 @mcury
            last edited by

            @mcury OPT1 has the rule: PASS ANY * to *

            1 Reply Last reply Reply Quote 0
            • W Offline
              w4436 @stephenw10
              last edited by

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              • W Offline
                w4436
                last edited by

                Facepalm. I forgot to set Outbound NAT mode to Hybrid to take advantage of the manual rule I created. It works, now. Thanks!

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  Really shouldn't need outbound NAT there if the provider is routing it to you.

                  If you do need NAT they are not routing it to your WAN IP, you should address that rather than NATing it to some other public IP.

                  Steve

                  W 1 Reply Last reply Reply Quote 0
                  • W Offline
                    w4436 @stephenw10
                    last edited by

                    @stephenw10 There is a misunderstanding here. I am trying to use the public range as a private range, not as an actual public range accessible from the internet.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S Offline
                      stephenw10 Netgate Administrator
                      last edited by

                      Oh, OK. You shouldn't really do that since it will block access to real addresses inside that subnet if any hosts there ever need to access them.
                      Why not just use a private subnet there?

                      Steve

                      W 1 Reply Last reply Reply Quote 0
                      • W Offline
                        w4436 @stephenw10
                        last edited by

                        @stephenw10 I totally understand this is not best practice but we are testing a product configuration for a customer who has run out of RFC 1918 subnets to use for their network so they have started to use similar public ranges. In production this product will not be connected to the internet, but for us testing it in house having internet access helps. I know I could use NAT between this test network and our pf box but it is unlikely that anybody needs to access any websites on this range.

                        Thanks!

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S Offline
                          stephenw10 Netgate Administrator
                          last edited by

                          Ah OK. Gotta play the hand you're dealt. 😉

                          johnpozJ 1 Reply Last reply Reply Quote 1
                          • johnpozJ Online
                            johnpoz LAYER 8 Global Moderator @stephenw10
                            last edited by johnpoz

                            @w4436 said in pfsense internal network on 'public' range:

                            I forgot to set Outbound NAT mode to Hybrid to take advantage of the manual rule I created. It works, now. Thanks!

                            When you do this, route to a downstream network. Pfsense would automatically add an outbound nat for that network.. Be it rfc1918..

                            Example I duplicated your downstream network.. And if I add a route for rfc1918, its auto added to the auto outbound nat.

                            outbound.png

                            But yeah @stephenw10 is right - this is not good idea to just use public IP space internally that is not yours, or that is not actually routed to where your using it.

                            Lets just hope whoever this is - you don't need to get to any of their stuff ;)

                            NetRange:       172.99.0.0 - 172.99.3.255
                            CIDR:           172.99.0.0/22
                            NetName:        SOUNDVIEW
                            Organization:   Soundview Broadcasting, LLC (SBL-72)
                            
                            ;; QUESTION SECTION:
                            ;www.soundviewbroadcasting.com. IN      A
                            
                            ;; ANSWER SECTION:
                            www.soundviewbroadcasting.com. 3573 IN  CNAME   soundviewbroadcasting.com.
                            soundviewbroadcasting.com. 3573 IN      A       172.99.1.34
                            

                            for a customer who has run out of RFC 1918 subnets

                            Really?? the 10 space alone is 16 Million addresses.. Now with 192.168 another 65,000 then another million with 17.16/12..

                            I find it very hard to believe they have used this up.. Unless horrible IP management like using a /16 for every site out of the 10 space..

                            There is also the whole 100.64/10 space they could use which is cgnat space.. Which is another 4 million. There is is also the practice of using like the documentation networks.. 192.0.2.0/24

                            Or say the 198.18.0.0/15, which is used for benchmarking - that again doesn't step on some other companies public space.. That is another 130K address.

                            That someone could use all of this space up really just screams horrible IP planning and management.. And vs just fixing that they start grabbing public space that is not there's normally its the dod space like 6.x, 7.x, 11.x some of the common ones used...

                            If they using like 20Million devices on their network - they really really should be working on deployment of IPv6 vs just snagging public..

                            I know this on not on you specifically - Unless you planned out their misuse of rfc1918.. Yeah just use the /16 for the finance department vlan - with 3 people in it.. We will never use up this space ;) hehehe

                            Horrible misuse of network size is one of those things just bugs me - sorry ;) You do have to quite often work with what your given..

                            You see it here all the time where users using 10/8 on their lan or 192.168/16 -- you would think ah its just their 1 home - who cares if they use up all of rfc1918 with their 3 networks.. But such practice leads to nonsense in the work networks as well.. Just because space seem so large you will never use it up - doesn't mean your network shouldn't be appropriately sized.. Companies that do this shit rub me the wrong way is all.. ;)

                            Had a customer a few years back that used a /16 for their printer vlan.. Was like WTF??? you have 20 printers.. Tops!!

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.