How to use Other VIPs with routed ISP network



  • I recently inherited a small office network and will soon be migrating from an Adtran Total Access router to a pfSense XG-2758. Our ISP provides both a /29 WAN block and a /28 public IP block (which they route to the /29).

    On the Adtran, the /29 is on the WAN interface, /28 on the LAN, and our internal RFC 1918 /24 subnet is a "secondary IP address" on the LAN interface. I'm trying to figure out how to replicate this setup with pfSense and it seems the 'Other' Virtual IP might be the answer ("This is useful when you have a public IP block routed to your WAN IP address" - pfSense book) but am having a bit of trouble putting this into practice.

    On the pfSense, I'm considering having the /24 on the LAN and creating the /28 public IPs as Other VIPs. I'm a little unclear as to how I'd create routing rules between the /24 and /28 and then out the /29. Currently, there are a few servers mapped 1:1 and everything else NAT'ed out one of the /28 addresses.

    Does anyone have examples of how I'd set this up or maybe just point me in the right direction? Thanks!



  • @ded_oa:

    Our ISP provides both a /29 WAN block and a /28 public IP block (which they route to the /29).

    On the Adtran, the /29 is on the WAN interface, /28 on the LAN, and our internal RFC 1918 /24 subnet is a "secondary IP address" on the LAN interface.

    :o
    You have the public /28 subnet together with your internal LAN on the same interface?
    Why?

    Best way will be to add all your public addresses as "IP Aliases" to the WAN interface. So you can do with it after whatever you want and public IPs are clearly separated from internal IPs and routing between public and private will be no issue.



  • Hah! It also seemed strange to me, but that's the way it fell into my lap. I'm trying to migrate to pfSense with a similar configuration, but if pfSense can do it better then I'm all ears.

    I guess I'm trying to figure out how I'd use 'Other' VIP since the book specifically points to this scenario as a prime candidate. Not sure how to set it up, though. I didn't consider IP Aliases since I was under the impression the netmasks had to match.



  • I don't know if the book is up to date in this section. IP Alias is the newest type.
    Here you can find an overview of the features of the different VIP types: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses



  • @viragomann:

    I don't know if the book is up to date in this section.

    It is.

    Where you're using it on an internal interface, you'll want to assign one IP out of the public block as an IP alias on LAN. The Other type VIPs are where using the routed subnet only with NAT.



  • @cmb:

    Where you're using it on an internal interface, you'll want to assign one IP out of the public block as an IP alias on LAN. The Other type VIPs are where using the routed subnet only with NAT.

    Why only one? Is having it on the LAN necessary or just good practice? That's how things are on the Adtran I inherited, but wanted to see if pfSense would handle things differently/better. I did come across this yesterday: http://serverfault.com/questions/709216/route-public-subnet-and-create-nat-internal-subnet

    IP Aliases are also recommended, but it wasn't clear if it was on WAN or LAN.



  • @ded_oa:

    Why only one?

    Because the others need to be assigned to the hosts that are using them. Only the gateway IP is assigned to the firewall.