Multiple WAN IP addr (Alias) in different subnets
-
I'm using pfsense 1.2 to separate two physical internal LANs. There is no Internet connection, but we need NAT. One LAN is connected to the LAN interface, the other LAN is connected to the WAN interface.
I need to assign three different IP addresses to the WAN interface, one primary and two secondary (aliases). The three addresses belongs to three different IP subnets.
I tried with VLAN or virtual IPs, but they don't work.
I have found a script to put in /usr/local/etc/rc.d in this post:
http://forum.pfsense.org/index.php/topic,223.msg1228.html#msg1228
The script works, but I don't like it, because this settings are not managed and saved with the normal configuration backup procedure (they are not in the XML backup file).How can I setup the IP aliases in a more convenient way ?
Thank you
-
http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf
But i think with these alias VIP's you cannot NAT.
What didnt work with normal VIP's?
Why are VLAN's not an option?
You do have a VLAN cappable switch, dont you? -
http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf
But i think with these alias VIP's you cannot NAT.
What didnt work with normal VIP's?
Why are VLAN's not an option?
You do have a VLAN cappable switch, dont you?Thank you very much for the document. I really needed it :)
The solution is not perfect because the IP is assigned to the fxp0 interface and not to the "WAN" interface and in case of hardware change a reconfiguration by hand of the xml file is needed. But it works ad it's enough for me.NAT has been a bit difficult: the resulting NAT address for translation is choosen randomly between the three IP addresses of the WAN interface. I'm trying now the following: I defined the main WAN ip address in the IP alias table, so I can use it as Translation Address in the NAT rule. After a firewall reboot, NAT seems now stable.
What didnt work with normal VIP's?
I really don't know. When a host in LAN pings a host in WAN/secondaryIP the host in LAN receives an ICMP host unreachable response.Why are VLAN's not an option?
You do have a VLAN cappable switch, dont you?I don't want to manage another configuration (the configuration of the switch), to backup it and to provide a written procedure for the recovery of the switch. I'm trying to simplify all management procedure with pfsense, and the use of a VLAN-configured switch is just another step to make recovery more complex.
I also tested pfsense with VLAN without a VLAN configured switch: when pinging from pfsense to the host attached on the VLAN, I can see arp requests and arp responses with tcpdump. But arp responses are not accepded by pfsense (I think it happens because the responses are not 802.1q tagged by the host itself). -
I suppose you use Proxy ARP VIP's.
These are not pingable, but they do work.
Only CARP type VIP's are pingable, but the VIP has to be in the same subnet as the main-IP of the interface.I understand that you dont want to manage multiple devices, but in this case i strongly recommend that you use the VLAN capabilities of your switch.
As it is now you have to use an unsupported way of adding multiple IP's.
If you ever have problems you WILL have to dig within pfSense to do troubleshooting instead of being able to work with only the GUI.
